如何对要放入iframe src属性的值进行编码以防止ASP.NET MVC中的XSS

Question

Using ASP.NET MVC, I have an url that takes a querystring param called path, which can be a url within my site. I found a XSS vulnerability and I cannot figure out how to encode the path value correctly to prevent XSS (but not do a lot of code to whitelist acceptable urls)

So the url that the user visits is:

/iFrame?path=mypage.aspx

The XSS can be seen like this:

/iFrame?path=javascript:alert%281%29

The HTML for the iFrame that uses the path querystring value is:

<iframe src="@Model.Source"></iframe>

I've also tried:

Both of those methods still display the javascript alert box.

Is there a built in encoder for ASP.NET MVC that will encode it so that the src will not execute javascript? Or do I need to do a some whitelisting or other methods to protect against it?

Answer 1

I'd recommend reading Preventing Open Redirection Attacks (C#) which talks about using the IsLocalUrl() method from the ASP.NET MVC 3 UrlHelper class:

public bool IsLocalUrl(string url) {
  return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
    RequestContext.HttpContext.Request, url);
}

IsUrlLocalToHost() method from the System.Web.WebPages RequestExtensions class:

public static bool IsUrlLocalToHost(this HttpRequestBase request, string url)
{
  return !url.IsEmpty() &&
      ((url[0] == '/' && (url.Length == 1 ||
       (url[1] != '/' && url[1] != '\\'))) ||   // "/" or "/foo" but not "//" or "/\"
       (url.Length > 1 &&
        url[0] == '~' && url[1] == '/'));   // "~/" or "~/foo"
}

Answer 2

You need to parse the URL and whitelist the protocol.

Call Uri.TryParse() , and reject any URL for which that returns false, or has a protocol other than HTTP or HTTPS.

You also need to decide whether to allow relative URLs.