[研究][ASP.NET]Fortify Static Code Analyzer (SCA) 報告從資料庫取得資料直接顯示於 Label 可能 Cross-Site Scripting: Persistent (XSS)
2021-07-07,2021-08-11 補充,2021-11-15 補充
SqlDataReader reader = command.ExecuteReader(); while (reader.Read())
{
string myCounts = reader["MyCounts"].ToString();
Label_Message.ForeColor = System.Drawing.Color.Red;
Label_Message.Text = "次數:" + MyCounts ;
} |
改成
using System.Web.Security.AntiXss;SqlDataReader reader = command.ExecuteReader(); while (reader.Read())
{
string myCounts = reader["MyCounts"].ToString();
myCounts= AntiXssEncoder.HtmlEncode(myCounts, true);
Label_Message.ForeColor = System.Drawing.Color.Red;
Label_Message.Text = "次數:" + MyCounts ;
} |
********************************************************************************
2021-08-11 補充
Visual Studo 2019 + WebForm + C# + WebApplication
這是 ListView 中的一段 Code,在某個方案中,被 Fortify SCA 報告有問題;
但在另一個方案中的 ListView 中則沒問題 ( 原因不明)
<asp:Literal ID="Label1" runat="server" Text='<%# Eval("主題") %>' /> |
改成
<asp:Literal ID="Label1" runat="server" Text='<%# AntiXssEncoder.HtmlEncode(Eval("主題"),true) %>' /> |
會出現「 CS0103: 名稱 'AntiXssEncoder' 不存在於目前的內容中」錯誤
Compiler Error CS0103
https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-messages/cs0103?f1url=%3FappId%3Droslyn%26k%3Dk(CS0103)
改成
<asp:Literal ID="Label1" runat="server" Text='<%# System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("主題"), true) %>' /> |
會出現
改成
<asp:Literal ID="Label1" runat="server" Text='<%# System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("主題").ToString(), true) %>' /> |
沒警告了。
********************************************************************************
2021-11-15 補充
若下面可能是 null
<asp:Label ID="Label6" runat="server" Text='<%# Eval("Code") %>' /> |
要先判斷是否 null,並把 null 變成空字串 ""
<asp:Label ID="Label6" runat="server" Text='<%#( Eval("Code") == null ? "" : Eval("Code").ToString() )%>' /> |
然後再處理 XSS 問題
<asp:Label ID="Label6" runat="server" Text='<%# System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(( Eval("Code") == null ? "" : Eval("Code").ToString() ), true) %>' /> |
(完)
相關
[研究][ASP.NET]Fortify Static Code Analyzer (SCA) 報告從資料庫取得資料直接顯示於 Label 可能 Cross-Site Scripting: Persistent (XSS)
https://shaurong.blogspot.com/2021/07/aspnetfortify-static-code-analyzer-sca.html
[研究] Microsoft Anti-XSS Library V4.3 (Anti-Cross Site Scripting Library) 與 AntiXssEncoder.HtmlEncode
http://shaurong.blogspot.com/2017/06/microsoft-anti-xss-library-v43-anti.html
[研究] Microsoft Anti-XSS Library V4.3 (Anti-Cross Site Scripting Library)
https://shaurong.blogspot.com/2017/06/microsoft-anti-xss-library-v43-anti.html
AntiXssEncoder.HtmlEncode 方法 (System.Web.Security.AntiXss) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.web.security.antixss.antixssencoder.htmlencode?view=netframework-4.8
[研究][ASP.NET] 用了 AntiXssEncoder.HtmlEncoder 仍被 Fortify SCA v17.20 說有問題
https://shaurong.blogspot.com/2018/04/aspnet-antixssencoderhtmlencoder.html
[研究] [ASP.NET] DropDownList1 的 Cross-site scripting (XSS) (Reflected XSS) 修正
https://shaurong.blogspot.com/2017/09/aspnet-dropdownlist1-cross-site.html
[研究] [ASP.NET] Cross-Site Scripting(XSS) 防範,白名單輸入驗證
https://shaurong.blogspot.com/2019/06/aspnet-cross-site-scriptingxss.html
[研究] X-XSS Protection
https://shaurong.blogspot.com/2017/06/x-xss-protection.html
[研究][ASP.NET][C#]Fortify SCA 報告 Eval()有 Cross-Site Scripting: Persistent解法
https://shaurong.blogspot.com/2020/10/aspnetcfortify-sca-eval-cross-site.html
[研究] Fortify SCA 19.10 與 jquery-3.3.1-vsdoc.js, line 812 (Dynamic Code Evaluation Code Injection)
https://shaurong.blogspot.com/2019/07/fortify-sca-1910-jquery-331-vsdocjs.html
[研究] Fortify SCA 報告 Web.Config 連線資訊有 Insecure Transport: Database 問題
https://shaurong.blogspot.com/2018/12/fortify-sca-webconfig.html
[研究][ASP.NET] Fortify SCA v17.20 報告 Web.config ( Insecure Transport: Datbase) Critical 問題
https://shaurong.blogspot.com/2018/04/aspnet-fortify-sca-v1720-webconfig.html
[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20
https://shaurong.blogspot.com/2018/04/javascript-ckeditor-491-fortify-sca.html
[研究][ASP.NET][JavaScript] hideShowPassword 與 Fortify SCA 白箱測試
https://shaurong.blogspot.com/2018/04/aspnetjavascript-hideshowpassword.html
沒有留言:
張貼留言