i used ci_csrf_token hidden field in my forms.but any form in my script get alert with Acunetix Web Vulnerability Scanner.
alert details :
Cookie input ci_csrf_token was set to " onmouseover=prompt(965267) bad="
The input is reflected inside a tag element between double quotes.
in view source:
<input type="hidden" name="ci_csrf_token" value="\\" onmouseover=prompt(965267) bad=\"" />
can anyone help me to solve it?
You need to html attribute encode the token before you put it into the hidden field. Do you add it to the form on the client side or the server side? If you do it on the server side, you may want to do input validation to make sure the token is on the expected format.
Related
I'm currently working on a Spring MVC project where we are migrating all our jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. An example of this:
<form:form method="post" id="someForm" modelAttribute="${commandName}" htmlEscape="true" autocomplete="off">
<div class="form-group">
<input type="text" id="username" value="<c:out value='${inputValue}'/>"/>
<input type="password" id="password" />
<input type="submit" class="btn btn-lg btn-block-sm" value="<spring:message code="header.content.close"/>" tabindex="0" />
<input type="hidden" name="_eventId" value="continue"/>
</div>
</form:form>
This fits under the umbrella of output-escaping, which is something that happens on the server side when processing a template to render.
An example of an xss attack this prevents is if the user entered
<script>alert("gotcha");</script> for the username, and some arbitrary value for the password. The form will rerender with the entered username bound to the form. The htmlEscape="true" attribute in the form tag will cause this output to be escaped to mitigate xss. So the username field will contain <script>alert("gotcha");</script> when the bound form rerenders with the error, instead of the actually entered valid html
Is there a standard way to achieve this same functionality in thymeleaf?
A few possibilities I see:
This is already built into thymeleaf.
I'm aware that the spring thymeleaf package uses unbescape to perform output escaping on some attributes, for example SpringValueTagProcessor which I believe escapes output on th:value attributes. However, I'm not sure this is equivalent, and fear there may be security holes left unfilled if this was done in a way that only partially mitigates what the spring form htmlEscape fully mitigates.
If so, please explain how this covers the same cases that htmlEscape does.
There is an existing Spring / Spring MVC solution that is flexible enough to not rely on jsp.
If so, what?
There is a common solution to this for thymeleaf which involves some modification of the template parsing engine.
If so, please explain.
Here is a brief article to give you an idea of what I mean regarding the spring form behavior. Regarding this article, it appears that setting the defaultHtmlEscape to false globally in the web.xml only overrides the default value of HtmlEscapeTag, which appears to only work for spring tags. Thus I don't think the solution can be applied to thymeleaf.
I would appreciate any direction here.
Escaping of output text is done automatically if you use th:text. In rare cases, you can use th:utext if you want to use unescaped text, but you have to be aware of the security implications. See Process thymeleaf variable as html code and not text for some more info.
I ended up getting an answer on the GitHub discussions for the Thymeleaf project here, which I will summarize and clarify:
HTML escaping is built into Thymeleaf form elements by default.
This is evidenced by th:input processor source code. Note the use of getDisplayString which performs html output escaping via org.springframework.web.util.HtmlUtils
I went through and manually checked all the uses of getDisplayString where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator).
See GitHub issue thymeleaf/thymeleaf-docs#84 for information regarding the docs being updated accordingly.
I am trying to use a kendo numeric text box with angular validation (ng-required) however I'm not able to get it working. The ng-required attribute on this element has no effect on the form validation status.
From my understanding, the reason why this doesn't work is because kendo numeric text box uses k-ng-model to store it's value, whereas the angular validation works only with ng-model.
Has anyone else seen this issue, are there any workarounds?
I have found a workaround that involves using the kendo-numeric-text-box along with a hidden input field which makes use of ng-model.
<input data-kendo-numeric-text-box data-k-ng-model="numValue"/>
<input type="hidden" data-ng-model="numValue" data-ng-required="true" />
I have view which takes care of all the Ajax submits from the client side. And to differentiate them by I uses different submit button names such as this one
<input type="submit" value="Send" name="send_message">
Suggested from this question.
The only problem is that from the view side it doesn't seems to carry the name to the server side so I cannot use the following if-statement
if 'send_message' in request.POST:
It works if I send it normally with page fresh. But I want to use it with Ajax.
I came up with a hack that you can add this name with jQuery. Simply by after serializing() your data you then concatenate the name attribute by data += "&send_message"
Then the if statement will work. But it doesn't seems so clean. So I wonder if there's a better way to handle this? Or should I make different views to handle the different Ajax calls I have?
You really should post each form to a different URL.
If not, you could add a hidden input with the name of the form as the value.
<input name="form_name" type="hidden" value="form_1" />
views.py:
form_name = request.POST['form_name']
I have a HTML TEXT BOX in one of my webpage, there is not submit button.
<form>
<label>Website URL: </label>
<input name="" type="text" class="textfield" />
</form>
The text box is used to enter url, i need to do validation of this textbox using AJAX.So for example if someone enters url and hit enter the URL will appear below the text box and the text box will be emptied again. It will only do this if it is a validly formed url, for example if someone writes ttjkl.145 this will not do anything as it is not a valid url. It will however accept any variations that are valid such as http://www.url.com or www.url.co.uk and url.com.au. And it will remove anything after the end of the country code for example if the person types www.abc.net/dlkjfk then only www.abc.net will be accepted
What you need has nothing to do with Ajax. JavaScript alone can do what you need.
The answer you seek already exists:
URL regex validation
Help me validate url which should even accept .me domains
how can i validate a url in javascript using regular expression
Using Spring 2.5 tag library,
I have an Integer value in a command form that's rendered on my page using <form:input path="budget" htmlEscape="true" />
When the value is > 999, it renders the number as value="x,xxx" on the page. My validation isn't expecting the comma and rejects the value.
Is there a fix for the rendering, or do I need to fix the validation and parsing?
As usual, I was just being blind, and discovered that there was a custom property editor bound to the command form in the controller. It was causing the input field to render with commas.
That would have been fine, if there also wasn't a JavaScript validation that rejected the field for having commas in it.