XSS, HttpEncode, AspView and being Secure By Default

on December 21st, 2007 at 9:21am , , , 21 responses

If you know not what XSS is or how easily you can expose your application to XSS, take a short read at the next posts:

AspView was written by me, for my (and my employer at the time) use. Therefore, I did not make it 'secure by default' in terms of HttpEncode.

 

However, seeing now that the convention lean toward outputing HtmlEncode-ed by default, I'm adapting AspView to that.

 

The usage would be similar to the one suggested for Asp.NET MVC at http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/

 

So,

<%="<tag>" %> 

would output

&lt;tag&gt;

 

While

<%=RawHtml("<tag>") %>

would output

<tag>

 

The only exception here is ViewContents on layouts. since the view contents is 99% of the times made of markup, so in the layout would still write:

<%=ViewContents %> 

 

All of that stuff is being implemented with AspView trunk (versions 1.0.4.x) that works with Castle trunk.

If anyone wishes me to bubble it down to the 1.0.3.x branch (for Castle RC3), please leave your comments here. Unless I'll see that people actually want that I would probably not make the effort.

PCBender PCBender on December 21st, 2007 at 2:50pm
I would like to see the changes in the RC3 line, since the Castle Trunk seems to break my app. BTW, is there someplace to report bugs and/or make feature requests for aspview?PC
Ken&#32;Egozi Ken Egozi on December 22nd, 2007 at 6:09am
Sure.Castle's JIRA (support.castleproject.org)It's also the place to send patches to.
Gauthier&#32;Segay Gauthier Segay on December 25th, 2007 at 1:33pm
Hello Ken, I think I'm not agreeing with the approach described here, in fact I second the comment leaved on Ayende post:http://www.ayende.com/Blog/archive/2007/12/20/Cross-Site-Scripting-and-letting-the-framework-deal-with-it.aspx#20335<%= %> is 1-1 mapped to HttpResponse.Output method, let's not add hidden abstraction, because it's not working well if I'm outputing something else than text (say xml, javascript, css, don't know what)I would prefer using explicit HtmlEncode() helper method being available in the ViewBase along with (Ecmascript|Javascript)Encode() and such great things.If you are firm keeping things htmlencoded by default, maybe change or add another method name for unencoded output because RawHtml would not apply everywhere, maybe RawOutput or simply Raw.Hope my point is not dumb.
Gauthier&#32;Segay Gauthier Segay on December 25th, 2007 at 1:36pm
also aside question, is there any silent notation or a convenient/default way for not Ouput(null) crashing on me in aspview?Just asking because It would avoid me introduce some own Emptify() in all my view templates.Thanks
Ken&#32;Egozi Ken Egozi on December 26th, 2007 at 5:56am
@Gauthier:imo, most of the times, on most application, the <%= %> notation would output text, rather than markup of any kind. Even in a content-driven site like this very blog, each post's content is html, however for each post there's also title and tag names, both are text based, so there are more fields with need for HtmlEncode than fields that need direct output.At the end of the day, I believe I'll see less RawHtml calls in a template, than I'd have seen HtmlEncode calls.As for the naming (RawHtml), since the action of encoding is being done by HtmlEncode, it make sense that "not encoding" == "raw html".I would, however, add Raw as a convenience call.As for Output(null) and not being explicit about null->empty string - the option is to add a null check on all output methods, but it seams like an overkill to me. If you're using the properties section you can simply assign default value of "" to string properties, or otherwise do<%= view.Something ?? "" %>
Ken&#32;Egozi Ken Egozi on December 26th, 2007 at 7:43am
I take part of it back.<%= someNullObject %> would output an empty string. make sense.
Ken&#32;Egozi Ken Egozi on December 26th, 2007 at 9:02am
After reading the post again plus reading the comments plus thinking about it plus looking at code snippets and trying this out, I came to a different conclusion.All in all, <%= %> won't encode. However, I'll introduce another syntax for encoding. It would make things more consistent, and backward compatible.A post + update to the code, hopefully this weekend
Felix&#32;Gartsman Felix Gartsman on December 26th, 2007 at 3:44pm
I just modified ScriptToCodeTransformer.AppendCode to encode for <%^ %>. I don't think it breaks anything.Are you working on ViewComponent caching? I'm about to do it, but afraid the ongoing refactoring will make it obsolete.
Gauthier&#32;Segay Gauthier Segay on December 26th, 2007 at 6:09pm
Hi Ken, thanks for considering the point of Response.Write being raw, maybe <%#"<encodeme/>"%> would do for encoded output keeping convenience of visual studio auto-complete (seems that auto-complete "hack" become a scarce resource each time you add features to AspView...).I can hear hordes of &lt;HtmlEncodedByDefault/&gt; supporters bumping at my door ;)For the ?? operator, I keep forgetting how to use it, I discovered it rather late however it was available since c# 2.It would do the trick for string properties but won't compile for other types being .ToString'ed via Response.Output:"""Operator '??' cannot be applied to operands of type 'System.Guid?' and 'string'"""I'm unsure if silent output for <%= %> is ok for everyone, I like AspView to recall me "you are doing something wrong", I just checked and <%Response.Write(null);%> will work in plain asp.net (won't throw) so the choice is:- stick to asp.net default behavior for the sake of consistency, will also avoid raw error that may trig when unexpected data occurs which is hard to catchor- keep the current behavior (enhancing the error message with template row number would help, maybe possible with #line preprocessor directive) and add a well established coalescing operator that work with any types (Emptify is ok to me but maybe something nicer wouldn't hurt)
Andrew&#32;Hallock Andrew Hallock on December 29th, 2007 at 9:20pm
First, thanks for a great view engine!Can't the default encoding be set in configuration? I was looking at Grails, and they have a section in their config that looks like:// The default codec used to encode data with ${}grails.views.default.codec='html' // none, html, base64I would love if <%=%> could default to HTML encoding, because I would definitely forget to call a special encoding routine.Also, a side note, but is it possible to use master pages in AspView? I generally dislike viewContents, as you can't use inner layouts with that.
Refused Refused on October 19th, 2008 at 7:02am
Hello; I'm using AspView as view engine for a monorail project, but it doesn't use a layout: The problem is that it appears that the property "<% = ViewContents%> doesn't work! Said that this is not implemented ... any ideas? thanks in advance... (and sorry for my english :( ) bye.
Ken&#32;Egozi Ken Egozi on October 19th, 2008 at 10:09am
@Refused:I think you might be using a *very* old version of AspView.Layouts are being supported for over a year.I'd suggest you take the latest from Castle's build server to a spin
Refused Refused on October 19th, 2008 at 12:08pm
Hi!I got the latest version from the Subversion repository (http://svn.castleproject.org:8080/svn/castlecontrib/viewengines/aspview/) as compiled assemblies (1.0.3.386 for RC3 from www.aspview.com) as compiled assemblies gave me the same error.In the latest source code, in ViewAtDesingTime, the ViewContents property throw an exception ShouldNotBeImplemented.All I've tried compiled assemblies have caused the same error. From where I can download the latest version updated?Thanks!
Ken&#32;Egozi Ken Egozi on October 19th, 2008 at 3:12pm
@Refused:you have two issues:1. you use a rather old version. I suggest you get the latest Castle, either from http://builds.castleproject.org/cruise/index.castle or from http://svn.castleproject.org:8080/svn/castle/trunk/AspView is part of the core distribution now, so you won't need to get it separately.2. off the problem, what is probably happening is that you call the view directly (through the URL) instead of calling it through an Action.I suggest that you'd forward this question, along with your sample code (Controller+view) and the URL you are setting in the browser, and you'll get help shortly.
Refused Refused on October 19th, 2008 at 4:19pm
Hi;I hope I do not bother with so many questions ...My example is very very easy, I'm beginning to monorail and aspview.My controller:namespace Proximity.Controllers{ [Layout("Default")] public class HomeController : SmartDispatcherController { public void Index() { } }}My view:<%@ Page Language="C#" Inherits="Castle.MonoRail.Views.AspView.ViewAtDesignTime" %><% %><p> Hello world!</p>My Layout:<%@ Page Language="C#" Inherits="Castle.MonoRail.Views.AspView.ViewAtDesignTime" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Layout</title></head> <body> <%= ViewContents %> </body></html>go to //localhost/myproject/home/index.prox, execute the code contained in the Index method, and it renders the layout, an error occurs on the property <% =% ViewContents>:This method is a mock for intellisense purposes only. It should not be called in runtime through this class or any of it's successors Descripción: Excepción no controlada al ejecutar la solicitud Web actual. Revise el seguimiento de la pila para obtener más información acerca del error y dónde se originó en el código. Thanks!
Ken&#32;Egozi Ken Egozi on October 19th, 2008 at 7:49pm
@Refused:what happens if you write:public void Index(){ RenderText("Something");}plus, what's in your Web.Config? just to make sure everything is in place
Refused Refused on October 20th, 2008 at 1:22pm
Hi Ken! I am very grateful for the help they provide me these. If I write RenderText("TEXT"); method in the Index, this appears on page, but does not render the layout, and why not now causing the error...
Refused Refused on October 20th, 2008 at 1:30pm
Hi again!I finally worked!I replaced the directive <%@ Page Language="C#" Inherits="Castle.MonoRail.Views.AspView.ViewAtDesingTime" %> by <%@ Page Language="C#" Inherits="Castle.MonoRail.Views.AspView.AspViewBase" %>I do not understand very well, because the documentation is inherited from ViewAtDesingTime...but I still proceed with ASpView and Monorail!Thank you very much for your help!Bye.
needhelp needhelp on December 22nd, 2008 at 7:15am
Hi Ken,I'm encountering a weird problem similar to the problem of @Refused unfortunately when i replace ViewAtDesignTime with AspViewBase i get this error.-------Error--------Parser Error Message: 'Castle.MonoRail.Views.AspView.AspViewBase' is not allowed here because it does not extend class 'System.Web.UI.Page'.Source Error: Line 1: <%@Page Language="c#" inherits="Castle.MonoRail.Views.AspView.AspViewBase"%>Line 2: Line 3: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">-----End------Any thoughts on this?
Ken&#32;Egozi Ken Egozi on December 22nd, 2008 at 12:35pm
@Refused:ViewAtDesignTime is only meant to be used to fool visual studio. in reality, every view will be compiled into a c# class, that will in turn inherit from AspViewBase.If you use Resharper then you can specify AspViewBase and it will even give you a cleaner experience.
Ken&#32;Egozi Ken Egozi on December 22nd, 2008 at 12:38pm
@needhelp:this error means that you try to access the view from your browser. maybe you hit F5 in Visual Studio while editing the view. in Monorail, a client (browser) do not access the view directly, but rather a controller's action.usually this mean that to render Views/Home/Index.aspx view, you'd have HomeController with void Index() action, and that you'd point your browser to /Home/Index.whatever, rather than to /Views/Home/Index.aspxDoes this make any sense?






Comment preview:

Follow

Statistics

Posts count:
447
Comments:
951