Feb 25, 2014, 9:03 AM
[CLOSED] XSS on store initialization
Hello. Please review the following example:
Could you please suggest how could I set data or store filter to not allow XSS attacks?
Best regards.
<%@ Page Language="C#" %>
<!DOCTYPE html>
<html>
<head runat="server">
</head>
<body>
<form runat="server">
<ext:ResourceManager runat="server" />
<ext:GridPanel ID="grid" runat="server" Height="400" Width="300">
<Store>
<ext:Store ID="store" runat="server">
<Model>
<ext:Model runat="server" IDProperty="Id">
<Fields>
<ext:ModelField Name="Id" />
<ext:ModelField Name="Name" />
</Fields>
</ext:Model>
</Model>
</ext:Store>
</Store>
<ColumnModel>
<Columns>
<ext:Column Text="XSS" DataIndex="Name" />
</Columns>
</ColumnModel>
</ext:GridPanel>
</form>
</body>
</html>
Server-side code:using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace ExtJSTesApplication
{
public partial class XSSTest : System.Web.UI.Page
{
private class Entity
{
public int Id { get; set; }
public string Name { get; set; }
}
private readonly string str = "test XSS </script><script>alert('XSS')</script>";
protected void Page_Load(object sender, EventArgs e)
{
//store.Filter("Name", str);
// Case a)
store.DataSource = GetData(1);
store.DataBind();
// Case b)
//store.Filters.Add(new Ext.Net.DataFilter.Config()
//{
// Property= "Name",
// Value = str
//});
}
private List<Entity> GetData(int n)
{
var res = new List<Entity>(n);
for (var i = 0; i < n; i++)
{
res.Add(new Entity
{
Id = i,
Name = str
});
}
return res;
}
}
}
When I run this page, I see an alert. The following script is generated by Ext.Net: <script type="text/javascript">
//<![CDATA[
Ext.net.ResourceMgr.init({"id":"ResourceManager1","aspForm":"Form1"});Ext.onReady(function(){Ext.create("Ext.grid.Panel",{"store":{"model":Ext.define("App.Model1", {extend: "Ext.data.Model", "fields":[{"name":"Id"},{"name":"Name"}],"idProperty":"Id" }),"storeId":"store","autoLoad":true,
"proxy":{
data:[{"Id":0,"Name":"test XSS </script><script>alert('XSS')</script>"}],
type: 'memory'
}},"id":"grid","height":400,"renderTo":"App.grid_Container","width":300,"columns":{"items":[{"dataIndex":"Name","text":"XSS"}]}});});
//]]>
</script>
As you can notice in linedata:[{"Id":0,"Name":"test XSS </script><script>alert('XSS')</script>"}]
string is not encoded, that makes page vulnerable to XSS attacks.Could you please suggest how could I set data or store filter to not allow XSS attacks?
Best regards.
Last edited by geoffrey.mcgill; Jan 27, 2015 at 5:50 PM.