Sunday, January 24, 2010

Do not allow HTML into the textbox

This is the most of times QA team will try to do and file bugs in web applications. They tries to enter the HTML into the textbox and the request fails as usual. The page renders with an .net generic exception if it is asp.net web application. This is because of the security problems. ASP.NET [OR I am not sure how different languages treat the html in textbox] if any HTML in the input textbox then it treats that it as "script injection attack".
If you think that the web application is safe to enter HTML tags in the input controls then there are two solutions.
  • For the specific page, I mean in the page directive just add extra attribute ValidateRequest="false". This will apply to only that page, so you can enter HTML into the text boxes for that page.
  • If you want to solve this problem for all pages in the application then in the web.config file, add ValidateRequest="false" for <pages> tag.
But, as we discussed this is not the 100% true solution, because there are chances of script injection attack. So, how to solve this problem? Today these days, everyone started using javascript or JQuery in their web applications. I have chosen JQuery to fix this problem. Below is the solution.
$(document).ready(function() {
$("input").live("keyup", function() {
RemoveTheHTMLFromTextBox($(this));
});
$("input").blur(function() {
RemoveTheHTMLFromTextBox($(this));
});
$("input").live("click", function() {
RemoveTheHTMLFromTextBox($(this));
});
function RemoveTheHTMLFromTextBox(obj) {
var inputValue = $(obj).val();
if (inputValue.indexOf('<') > -1 || inputValue.indexOf(">") > -1) {
$(obj).val($(obj).val()
.replace(/"/g, "")
.replace(/</G, ??)
.replace(/>/g, "")
.replace(/&/g, ""));
}
}
});

This will look for any HTML tags [<>] and replace them with empty space. This solution will work perfectly. Hope you like it. What is your opinion? any best solution?

Note: Don’t forget to add the JQuery file before you access this script.

4 comments:

  1. This won't work if javascript is turned off...any actual attacker is going to get around this easily.

    ReplyDelete
  2. Yes you are right. This won't work if javascript is turned off. But, even if turned off, because of not set validationrequest="false" in application, the framework throws generic exception. So, there won't be any script injection attacks. This solution only for who want to not set validation request false and check to not enter the HTML tags.

    thanks
    -Praveen.

    ReplyDelete
  3. You should use HttpServerUtility.HtmlEncode to encode user input , remember the user does not have to submit your form.Client side function is only for usability , you should always implement your logic in the server side for validation ,encoding.

    ReplyDelete
  4. I think, you didn't get me correct here. First of all, while sending data to server your request will be failed, because the inputs contains the HTML text. So, there is no way to process data. Because of it no use whatever you write in page load or button click in server side. This post is how to stop users to not enter the html text into textbox. Hope you understand it correct.

    thanks
    -Praveen.

    ReplyDelete