- ABP Framework version: v9.X.X
- UI Type: MVC / Blazor WASM / Blazor Server
- Database System: EF Core (SQL Server
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace:
- Steps to reproduce the issue:
currently the CRUD page has xss issues, what's the best way to fix it? i.e. with html-encoded. etc..
5 Answer(s)
-
0
Can you elaborate on your example a bit more? Why do you suspect an XSS vulnerability? Because this does not seem to be a security issue because only the website can change cookies. 3rd parties cannot change the cookie value as the browser is responsible for the security of the cookies. The scenario of attacking the local machine and getting the cookie is another issue that the victim should care about because even if the attacker gets the cookie, there is no need to evaluate a script on it. They can log into your account with the cookie without any password and do whatever they want. In summary, this is not a real-world attack vector.
-
0
We wanted to prevent an adversary to execute unsanitized JavaScript in browser, *the suggestion online is User input should be validated as strictly as possible and have an appropriate permitted length based on the kind of content that it is expected to contain (i.e., personal names should consist of letters while excluding symbols and numbers; a year should be composed of 4 digits; e-mail addresses should be validated with a regular expression). 2. User input should be HTML-encoded whenever it is reflected in an application’s response. Special characters, including < > " ' and =, should be encoded with the corresponding HTML entities (lt gt etc). * I actually saw a post talking this issue here https://github.com/abpframework/abp/issues/7751
anyway, I am thinking to do: using System; using System.Collections.Generic; using System.ComponentModel.DataAnnotations; using System.Text.RegularExpressions; using Tapp.Enums;
namespace Tapp.DataHub.TappOrganizations { public class TappOrganizationCreateDto : TappOrganizationCreateDtoBase { public Guid? Id { get; set; } [Required] [RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public string Position { get; set; } = String.Empty; public Guid UserId { get; set; } [Required(ErrorMessage = "Please select at least one code.")] public List
[Required] [RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; } [Required] [RegularExpression(@"^[0-9+\-\(\)\s]*$", ErrorMessage = "Invalid phone number format")] public new string OfficePhone { get; set; } public List<Guid>? TappThemeAttributeList { get; set; } = new List<Guid>(); }}
and
<abp-modal-header title="@Html.Raw(HttpUtility.HtmlEncode(L["NewTappOrganization"].Value))"></abp-modal-header>and private void SanitizeInput(TappOrganizationCreateViewModel model) { if (model == null) return;
// HTML encode all string properties model.Position = HttpUtility.HtmlEncode(model.Position); model.Address = HttpUtility.HtmlEncode(model.Address); model.OfficePhone = HttpUtility.HtmlEncode(model.OfficePhone); model.OrgName = HttpUtility.HtmlEncode(model.OrgName); model.WebsiteUrl = HttpUtility.HtmlEncode(model.WebsiteUrl); model.OrganizationNumber = HttpUtility.HtmlEncode(model.OrganizationNumber); model.Country = HttpUtility.HtmlEncode(model.Country); model.Region = HttpUtility.HtmlEncode(model.Region); model.Community = HttpUtility.HtmlEncode(model.Community); model.PostalCode = HttpUtility.HtmlEncode(model.PostalCode); model.StreetAddress = HttpUtility.HtmlEncode(model.StreetAddress); model.AddressNumber = HttpUtility.HtmlEncode(model.AddressNumber); model.AddressFormatted = HttpUtility.HtmlEncode(model.AddressFormatted); model.NaicsCodes = HttpUtility.HtmlEncode(model.NaicsCodes); }but I am wondering if abp provides a better solution? Or rather, a solution that I can:
- apply to all my CRUD pages
- without being overwritten by regenerated code in the future.
thank you
-
0
Hi,
I understand your problem now. Yes, you can implement this method, there is no problem with that. However, instead of implementing this manually to all CRUD pages, my advice to you would be to customize the templates of ABP Suite. You can find all the templates in the picture below, you can customize the templates here according to your needs, ABP Suite will generate the code according to your customization. See more: https://abp.io/docs/latest/suite/editing-templates
If you don't want to do this, you can generate custumizable code with ABP Suite so you can customize the generated code as you want. See more: https://abp.io/docs/latest/suite/customizing-the-generated-code
-
0
thanks your answer, I checked the link you gave me and this one https://abp.io/docs/latest/suite/editing-templates
but could find the instruction on how to use these variables:
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties
this is Server.AppService.ItemCreateDto.txt and I am trying to update it to including my RegularExpression, i.e.:
[RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; }using System; using System.ComponentModel.DataAnnotations; using System.Collections.Generic;
namespace %%solution-namespace%%%%<if:ApplicationContractsNotExists>%%%%.AppServices%%</if:ApplicationContractsNotExists>%%.%%entity-namespace%% { public %%custom-code-abstract-modifier%% class %%entity-name%%CreateDto%%custom-code-base%% { %%child-master-entity-primary-key%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties%% } }
-
0
thanks your answer, I checked the link you gave me and this one https://abp.io/docs/latest/suite/editing-templates
but could find the instruction on how to use these variables:
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties
this is Server.AppService.ItemCreateDto.txt and I am trying to update it to including my RegularExpression, i.e.:
[RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; }using System; using System.ComponentModel.DataAnnotations; using System.Collections.Generic;
namespace %%solution-namespace%%%%<if:ApplicationContractsNotExists>%%%%.AppServices%%</if:ApplicationContractsNotExists>%%.%%entity-namespace%% { public %%custom-code-abstract-modifier%% class %%entity-name%%CreateDto%%custom-code-base%% { %%child-master-entity-primary-key%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties%% } }
Hi, unfortunately, the related attributes (including the regex attribute) are generated in the code side, and ABP Suite does not allow you to directly update them via editing templates.
So, the best option you have is to add the related property name to your
ItemDto.extended.csclass with the relevant attribute and manually override the related property in the generated ABP Suite dto class (of course for doing that you should generate your entity with custom code support):public class BookDto : BookBaseDto { [RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; } }The variables that you are looking for (
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties) are generated on the code side and they are just related properties that should be listed on the relevant DTO classes.)
