admin管理员组

文章数量:1304186

I have JavaScript application, where I use client-side templates (underscore.js, Backbone.js).

Data for initial page load is strapped into the page like this (.cshtml Razor-file):

<div id="model">@Json.Encode(Model)</div>

Razor engine performs escaping, so, if the Model is

new { Title = "<script>alert('XSS');</script>" }

, in output we have:

<div id="model">{&quot;Title&quot;:&quot;\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e&quot;}</div>

Which after "parse" operation:

var data = JSON.parse($("#model").html());

we have object data with "Title" field exactly "<script>alert('XSS');</script>"!

When this goes to underscore template, it alerts.

Somehow \u003c-like symbols are treated like proper "<" symbols.

How do I escape "<" symbols to &lt; and &gt; from DB (if they somehow got there)?

Maybe I can tune Json.Encode serialization for escaping these symbols? Maybe I can set up Entity Framework which I`m using, for automatically escape these symbols absolutely all the time when getting data from DB?

I have JavaScript application, where I use client-side templates (underscore.js, Backbone.js).

Data for initial page load is strapped into the page like this (.cshtml Razor-file):

<div id="model">@Json.Encode(Model)</div>

Razor engine performs escaping, so, if the Model is

new { Title = "<script>alert('XSS');</script>" }

, in output we have:

<div id="model">{&quot;Title&quot;:&quot;\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e&quot;}</div>

Which after "parse" operation:

var data = JSON.parse($("#model").html());

we have object data with "Title" field exactly "<script>alert('XSS');</script>"!

When this goes to underscore template, it alerts.

Somehow \u003c-like symbols are treated like proper "<" symbols.

How do I escape "<" symbols to &lt; and &gt; from DB (if they somehow got there)?

Maybe I can tune Json.Encode serialization for escaping these symbols? Maybe I can set up Entity Framework which I`m using, for automatically escape these symbols absolutely all the time when getting data from DB?

  • javascript
  • asp-mvc
  • json
  • escaping
Share Improve this question asked Feb 22, 2012 at 23:34 RomanRoman 2,0163 gold badges21 silver badges29 bronze badges 2
  • If you disable the <script> that parses it as JSON, does it still show an alert? – Mike Samuel Commented Feb 23, 2012 at 1:18
  • It alerts only when is being inserted into DOM thru Underscore template (jQuery-like template). When it is just first on a page in a div, it doesn`t alert. – Roman Commented Feb 23, 2012 at 6:05
Add a ment  | 

3 Answers 3

Reset to default 2

\u003c and similar codes are perfectly valid for JS. You can obfuscate whole JS files using this syntax, if you so choose. Essentially, you're seeing an escape character \, u for unicode, and then a 4-character Hex code which relates to a symbol.

http://javascript.about./library/blunicode.htm

\u003c - as you've noted, is the < character.

One approach to "fixing" this on the MVC side would be to write a RegEx which looks for the pattern \u - and then captures the next 4 characters. You could then un-encode them into actual unicode characters - and run the resultant text through your XSS prevention algorithms.

As you've noted in your question - just looking for "<" doesn't help. You also can't just look for "\u003cscript" - because this assumes the potential hacker hasn't simply unicode-encoded the entire "script" tag word. The safer approach is to un-escape all of these kinds of codes and then cleanse your HTML in plain-text.

Incidentally, it might make you feel better to note that this is one of the mon (and thusfar poorly resolved) issues in XSS prevention. So you aren't alone in wanting a better solution...

You might check out the following libraries to assist in the actual html cleansing:

http://wpl.codeplex./ (Microsoft's attempt at a solution - though very bad user feedback) https://www.owasp/index.php/Category:OWASP_AntiSamy_Project_.NET (A private project which is designed to do a lot of this kind of prevention. I find it hard to use, and poorly implemented in .NET)

Both are good references, though.

You need to encode your string as HTML before providing it to Underscore.

"HTML escaping in Underscore.js templates" explains how to do this.

If you want to write unencoded content you will need to use the Html.Raw() helper:

@Html.Raw(Json.Encode(Model))

Edit:

I guess, perhaps I'm not understanding what your problem is. For example within a test controller I have the following

ViewBag.Test = new { Title = "<script>alert('XSS');</script>" };

In the related view:

   <script type="text/javascript">
        var test = @Html.Raw(Json.Encode(ViewBag.Test));
        console.log(test.Title);
        document.write(test.Title);
    </script>

Which in turn outputs to the console:

<script>alert('XSS');</script>

And opens the alert.

本文标签: javascriptJsonencode special symbols u003c MVC3Stack Overflow

版权声明:本文标题:javascript - Json.encode special symbols u003c MVC3 - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741720980a2394385.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。