Recent ASP.NET MVC, Javascript, Security/Attacks, Encoding

Filed under ASP.NET, Javascript
Tagged as , , ,

Stackoverflow Recent (21st Aug 2011) Questions with Answers – ASP.NET MVC, Javascript, Security/Attacks, Encoding:

See the Q&A item on Stackoverflow for full details and additional answers.  Comments/questions should also be directed to the linked page.

Razor MVC partial view cannot find end of code blocks and LI tags

I have a partial view that is not rendering:

The designer is telling me the foreach(Dress d in Model) is missing a closing character “}” the foreach(Picture p in d.Pictures) is missing a closing character “}” and the LI item is not closed
[see question on stackoverflow for code]
Answers:

Mystere Man: Take out hte extra braces, also you have an extra quote in the alt attribute of the img tag, which is probably what is causing your unclosed tag problem.

@model IEnumerable<MyApp.Model.Dress>

<ul>
@foreach (Dress d in Model) {
    foreach(Picture p in d.Pictures) {
        string dressPrefix = "images/Dresses/"+p.Dress.DressName;
        string bigThumb = dressPrefix+"-"+p.Caption+"_bigthumb.jpg";
        string thumb = dressPrefix+"-"+p.Caption+"_thumb.jpg";
        string dressTitle = d.DressName+" "+d.Price.ToString();

        <li>
            <a href="@bigThumb" title="@dressTitle">
                <img src="@thumb" alt="@dressTitle" />
            </a>
        </li>
    }
}
</ul>

FYI, you really shouldn’t be doing that much code in your view, that should be in your controller. You should also use string.Format to format the strings, not using the + operator.


I also I had to put the full name of the classes in both foreachs foreach(MyApp.Model.Dress d in Model) foreach(MyApp.Model.Picture p in d.Pictures) – Rick Hodder
You can also just put a @using at the top, so @using Myapp.Model – Mystere Man

—————————————–
Problem with LogOn page loading inside div on membership redirection

I am using Membership Authentication in an MVC3 webapp. I make heavy use of jQuery and loading partial views inside divs and tabs. My problem is when the user has been inactive and is logged out and then he tries to call an Action inside a Controller which loads a partial view inside a div or tab, the entire page with the LogOn view is loaded inside the div, wrecking my layout.

The redirection is done correctly, and is the desired effect, however I would like the LogOn page to load on the window, rather than on a div in the current view. Does anyone knows how to accomplish this?

Is it clear what I want and whats wrong? Thank you.

Answers:

Steve Morgan: The combination of authenticated calls and Ajax is always a problem, because Ajax doesn’t properly handle the redirect. I prefer not to the the Authorize attribute on Ajax-called controller actions, but to check for the user being authenticated inside the method and returning a specific HTTP response (such as HTTP403 Unauthorised). Using an error handler in your client-side script, you can test for this response and redirect to the login page by setting window.location

AJC: Just fixed my problem with a little script. Its not the best solution, and I am not totally comfortable with it, but at least it solves my problem in a very simple way.

In case anyone is interested, here its what I did, I added this snippet of code at the beginning of my Log on page:

<script type="text/javascript">

    function funcName() {
        var str = window.location.href;
        var num = loc.indexOf('@Url.Action("Action", "Controller", new { area = "" })');
        if (num < 0) {
            window.location = '@Url.Action("Action", "Controller", new { area = "" })';
        }
    }

    relocate();
</script>

This way if the login page loads inside some div and not on the window, it relocates to the actual login page.

—————————————–
Is this javascript encoding properly written?

I have tried some tips I was given on regards URL encoding but I have no success so far. First, I was given this format,

var url = "http://www.polyvore.com/cgi/add?title="
      + encodeURIComponent(%%GLOBAL_ProductName%%)
      + "&url=" + encodeURIComponent("http://lilaboutique.co.uk/products/"
          + encodeURIComponent(%%GLOBAL_ProductName%%)
          + "&imgurl=" + encodeURIComponent(%%GLOBAL_ThumbImageURL%%)
          + "&desc=" + encodeURIComponent(%%GLOBAL_ProductDesc%%)
          + "&price=" + encodeURIComponent(%%GLOBAL_ProductPrice%%));

which never got to be passed to the href dunno for what reason. Then I played with it some more,

var url = "http://www.polyvore.com/cgi/add?title=encodeURIComponent(%%GLOBAL_ProductName%%)&url=http://lilaboutique.co.uk/products/encodeURIComponent(%%GLOBAL_ProductName%%)&imgurl=encodeURIComponent(%%GLOBAL_ThumbImageURL%%)&desc=encodeURIComponent(%%GLOBAL_ProductDesc%%)&price=encodeURIComponent(%%GLOBAL_ProductPrice%%)";

this time the url was passed but the values were mixed between the appropriate and other fields displaying the encoding function itself.

Any help clarifying my mistakes is greatly appreciated. I would like to encode just price and description, seems to be the fields giving problems.

A regular link does render without problems

var url = "www.google.com";

var myAnchor = document.getElementById('myAnchor');

myAnchor.href = url;

Thanks for any help

Answers:
Gary Green: Nicer, cleaner way of doing this:

var toEncode = {
  title:    '%%GLOBAL_ProductName%%',
  url:      'http://lilaboutique.co.uk/products/%%GLOBAL_ProductName%%',
  imgurl:   '%%GLOBAL_ThumbImageURL%%',
  desc:     '%%GLOBAL_ProductDesc%%',
  price:    '%%GLOBAL_ProductPrice%%'
};

var index, queryString = '';

for (index in toEncode)
{
  queryString += index + '=' + encodeURIComponent(toEncode[index]) + '&';
}

var url = "http://www.polyvore.com/cgi/add?" + queryString;

Actually, that closing bracket is at the end. It’s my fault for formatting his code incorrectly, the last 4 lines should have been indented further to clarify.– Andy E
that piece of code is artwork haha , but have to say that I still getting the problems from the beginning. I don’t know for what reason price and description are not being passed. I wish i had access to the php script files, that would be a breeze but bigcommerce does not provide for that. If you have other tips to get deeper into what those global variables are returning, please let me know. Thanks for the help.– elramirez
just do some debugging for (i in toEncode) alert(i+'='+toEncode[i]); and see what each is returning– Gary Green

DOM Based XSS Attack and InnerHTML (Php)

How would one go about securing the below DOM Based XSS attack?

Specifically, is there a protect() function that will make the below safe? If no, then is there another solution? eg: Giving the div an id and then later assigning the element an onclick handler


XSS attack prevention (Java)

I’m developing a web app where users can response to blog entries. This is a security problem because they can send dangerous data that will be rendered to other users (and executed by javascript).

They can’t format the text they send. No “bold”, no colors, no nothing. Just simple text. I came up with this regex to solve my problem:…

Javascript injection attack prevention for textboxes (C# / ASP.NET)

I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I’m thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.

Is this correct? — Yes. You only need to encode strings that you have accepted from the users and you have to show inside your pages. – Lorenzo

—-

ASP.NET Encoding:

Preventing Javascript Encoding XSS attacks in ASP.NET MVC

Comments are closed.