How can I fix improper Neutralization of Script-Related HTML Tags in a Web Page?

Question

We recently run VeraCode and it failed the following method:

static public void WriteTargetAttribute(HtmlTextWriter writer, string targetValue)
    {
        if ((writer != null) && (!String.IsNullOrEmpty(targetValue)))
        {

            if (targetValue.Equals("_blank", StringComparison.OrdinalIgnoreCase))
            {
                string js = "window.open(this.href, '_blank', ''); return false;";
                writer.WriteAttribute("onclick", js);
                writer.WriteAttribute("onkeypress", js);
            }
            else
            {
                writer.WriteAttribute("target", targetValue);
            }
        }
    }

The VeraCode fails on the last line: " writer.WriteAttribute("target", targetValue);"

What can I do to fix it?

Thank's

Answer 1

The problem is that 'targetValue' is being passed down to your method, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf

Because 'targetValue' will get rendered to the web page, someone could enter script which will get rendered on the final page. If 'targetValue' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.

Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(targetValue);

writer.WriteAttribute("target", System.web.HttpUtility.HtmlEncode(targetValue));