-
ABP Framework version: v9.X.X
-
UI Type: MVC / Blazor WASM / Blazor Server
-
Database System: EF Core (SQL Server
-
Tiered (for MVC) or Auth Server Separated (for Angular): no
-
Exception message and full stack trace:
-
Steps to reproduce the issue:
currently the CRUD page has xss issues, what's the best way to fix it? i.e. with html-encoded. etc..
5 Answer(s)
-
0
Can you elaborate on your example a bit more? Why do you suspect an XSS vulnerability? Because this does not seem to be a security issue because only the website can change cookies. 3rd parties cannot change the cookie value as the browser is responsible for the security of the cookies. The scenario of attacking the local machine and getting the cookie is another issue that the victim should care about because even if the attacker gets the cookie, there is no need to evaluate a script on it. They can log into your account with the cookie without any password and do whatever they want.
In summary, this is not a real-world attack vector. -
0
We wanted to prevent an adversary to execute unsanitized JavaScript in browser,
*the suggestion online is
User input should be validated as strictly as possible and have an appropriate permitted length
based on the kind of content that it is expected to contain (i.e., personal names should consist
of letters while excluding symbols and numbers; a year should be composed of 4 digits; e-mail
addresses should be validated with a regular expression).
2. User input should be HTML-encoded whenever it is reflected in an application’s response.
Special characters, including < > " ' and =, should be encoded with the corresponding HTML
entities (lt gt etc).
*
I actually saw a post talking this issue here
https://github.com/abpframework/abp/issues/7751anyway, I am thinking to do:
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.Text.RegularExpressions;
using Tapp.Enums;namespace Tapp.DataHub.TappOrganizations
{
public class TappOrganizationCreateDto : TappOrganizationCreateDtoBase
{
public Guid? Id { get; set; }
[Required]
[RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")]
public string Position { get; set; } = String.Empty;
public Guid UserId { get; set; }
[Required(ErrorMessage = "Please select at least one code.")]
public List NaicsCodeList { get; set; } = new List();
public string ConcurrencyStamp { get; set; } = null!;[Required] [RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; } [Required] [RegularExpression(@"^[0-9+\-\(\)\s]*$", ErrorMessage = "Invalid phone number format")] public new string OfficePhone { get; set; } public List<Guid>? TappThemeAttributeList { get; set; } = new List<Guid>(); }
}
and
<abp-modal-header title="@Html.Raw(HttpUtility.HtmlEncode(L["NewTappOrganization"].Value))"></abp-modal-header>
and
private void SanitizeInput(TappOrganizationCreateViewModel model)
{
if (model == null) return;// HTML encode all string properties model.Position = HttpUtility.HtmlEncode(model.Position); model.Address = HttpUtility.HtmlEncode(model.Address); model.OfficePhone = HttpUtility.HtmlEncode(model.OfficePhone); model.OrgName = HttpUtility.HtmlEncode(model.OrgName); model.WebsiteUrl = HttpUtility.HtmlEncode(model.WebsiteUrl); model.OrganizationNumber = HttpUtility.HtmlEncode(model.OrganizationNumber); model.Country = HttpUtility.HtmlEncode(model.Country); model.Region = HttpUtility.HtmlEncode(model.Region); model.Community = HttpUtility.HtmlEncode(model.Community); model.PostalCode = HttpUtility.HtmlEncode(model.PostalCode); model.StreetAddress = HttpUtility.HtmlEncode(model.StreetAddress); model.AddressNumber = HttpUtility.HtmlEncode(model.AddressNumber); model.AddressFormatted = HttpUtility.HtmlEncode(model.AddressFormatted); model.NaicsCodes = HttpUtility.HtmlEncode(model.NaicsCodes); }
but I am wondering if abp provides a better solution? Or rather, a solution that I can:
-
apply to all my CRUD pages
-
without being overwritten by regenerated code in the future.
thank you
-
-
0
Hi,
I understand your problem now. Yes, you can implement this method, there is no problem with that. However, instead of implementing this manually to all CRUD pages, my advice to you would be to customize the templates of ABP Suite. You can find all the templates in the picture below, you can customize the templates here according to your needs, ABP Suite will generate the code according to your customization. See more: https://abp.io/docs/latest/suite/editing-templates
If you don't want to do this, you can generate custumizable code with ABP Suite so you can customize the generated code as you want. See more: https://abp.io/docs/latest/suite/customizing-the-generated-code
-
0
thanks your answer,
I checked the link you gave me and this one
https://abp.io/docs/latest/suite/editing-templatesbut could find the instruction on how to use these variables:
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties
this is Server.AppService.ItemCreateDto.txt
and I am trying to update it to including my RegularExpression, i.e.:[RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; }
using System;
using System.ComponentModel.DataAnnotations;
using System.Collections.Generic;namespace %%solution-namespace%%%%if:ApplicationContractsNotExists%%%%.AppServices%%</if:ApplicationContractsNotExists>%%.%%entity-namespace%%
{
public %%custom-code-abstract-modifier%% class %%entity-name%%CreateDto%%custom-code-base%%
{
%%child-master-entity-primary-key%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties%%
}
} -
0
thanks your answer,
I checked the link you gave me and this one
https://abp.io/docs/latest/suite/editing-templatesbut could find the instruction on how to use these variables:
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties
this is Server.AppService.ItemCreateDto.txt
and I am trying to update it to including my RegularExpression, i.e.:[RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; }
using System;
using System.ComponentModel.DataAnnotations;
using System.Collections.Generic;namespace %%solution-namespace%%%%if:ApplicationContractsNotExists%%%%.AppServices%%</if:ApplicationContractsNotExists>%%.%%entity-namespace%%
{
public %%custom-code-abstract-modifier%% class %%entity-name%%CreateDto%%custom-code-base%%
{
%%child-master-entity-primary-key%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties%%
}
}Hi, unfortunately, the related attributes (including the regex attribute) are generated in the code side, and ABP Suite does not allow you to directly update them via editing templates.
So, the best option you have is to add the related property name to your
ItemDto.extended.cs
class with the relevant attribute and manually override the related property in the generated ABP Suite dto class (of course for doing that you should generate your entity with custom code support):public class BookDto : BookBaseDto { [RegularExpression(@"^[^<>'""`]*$", ErrorMessage = "Invalid characters detected")] public new string Address { get; set; } }
The variables that you are looking for (
%%%%item-dto-properties%%%%item-dto-np-properties%%%%item-dto-nc-properties
) are generated on the code side and they are just related properties that should be listed on the relevant DTO classes.)