We recently run VeraCode and it failed the following method:
static public void WriteTargetAttribute(HtmlTextWriter writer, string targetValue)
{
if ((writer != null) && (!String.IsNullOrEmpty(targetValue)))
{
if (targetValue.Equals("_blank", StringComparison.OrdinalIgnoreCase))
{
string js = "window.open(this.href, '_blank', ''); return false;";
writer.WriteAttribute("onclick", js);
writer.WriteAttribute("onkeypress", js);
}
else
{
writer.WriteAttribute("target", targetValue);
}
}
}
The VeraCode fails on the last line: " writer.WriteAttribute("target", targetValue);"
What can I do to fix it?
Thank's
The problem is that 'targetValue' is being passed down to your method, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
Because 'targetValue' will get rendered to the web page, someone could enter script which will get rendered on the final page. If 'targetValue' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(targetValue);
writer.WriteAttribute("target", System.web.HttpUtility.HtmlEncode(targetValue));
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.