No User Avatar
Register
Tweaks and Security
12 Jun 2009 @ 10:46AM

Updated: 27 Jan 2010 @ 10:51AM
We just need to wrap up a few things and we've completed this website. It's been quite a trip so far. One of the things you may recall us wanting to allow was for a blogger to put a link or other HTML markup in their posts. So, make a new post and try adding some markup.

You probably just got an error like this:


A potentially dangerous request? Oh noes!


This may confuse you at first, but it's actually pretty simple. C# detected that a variable we were populating from a POST request was being fed with markup. In this case it was html, but it could've been javascript or even embedding objects like Flash, Java or Silverlight. Any of these things can be really, really bad. So C# tries to protect you by throwing this error and stopping web page execution. So how do you fix it? The answer is actually in the error description. We have to edit the .aspx page and add validateRequest=false into the page directive.


No more error


There we go, now it works. So wait...what about comments? Do we really want random internet people to be able to post javascript and html into comments? Oh no, definitely not. However, with the validateRequest=false we just added, they can do just that. What we need to do is filter their inputs and strip out any illegal content like html and javascript. So how do we do that? Actually, we already have a sanitize() method just for that. So let's make some changes to it.
public enum clean{
     DB, TAGS
}

private string sanitize(string value, clean type)
{
     switch (type)
     {
          case clean.DB:
               value = value.Replace("'", "''");
               break;
          case clean.TAGS:
               value = Regex.Replace(value, @"<(.|n)*?>", string.Empty);
               break;
     }
     return value;
}

We start by altering our clean enum to have another option called TAGS. I could've called that anything, but TAGS works for me. We then add a new case into the switch statement and do a Regex against the value that should strip our tags out for us. In order to add Regex I had to add a new namespace... just type Regex, then wait for Visual Studio to have a little red underline under the bottom of the Regex word. Hover over it and you should get the option to add the namespace automatically. Alternately you can just manually add the System.Text.RegularExpressions namespace.

Regex is an extremely complicated subject, one I'm not versed well enough in to write a tutorial on at this time. However, there are plenty of options out there for a decent tutorial. Check out this page for some great information.
Comments (0)
Next we just sanitize our comment inputs for tags.
string commentText = sanitize(sanitize(getVariable("commentText", var.POST), clean.TAGS), clean.DB);

This line is from the saveComment() method where we pluck the commentText POST variable. We just added an extra level of sanitizing to it where the tags are removed.

Et voilą, that security hole has been closed. We're going to call this tutorial over with at this point. There's definitely a possibility there are other bugs in here that I did not catch. And there is a lot of missing functionality. For instance, how do we make invisible blogs and comments visible again? Right now the only way is to go manually into the database: there is no UI. What if a blogger is a bad person and puts maliciouis javascript into his blog? And of course there are many other things I'm sure you could think of.

Files To This Point
Comments (0)
1234567891011121314151617