Are HTML textbox value attributes safe from XSS attacks?

javascript html asp.net xss

13,206

Solution 1

The builtin textbox control automatically encodes the text attribute. When you checked the output, did you use view source or the developer console. The console shows escaped data as unescaped, while view source will show the actual output.

Anyways, a classical attack on textbox value attributes would be: " autofocus onfocus="alert(1)

Solution 2

To properly insert this code into your site you must understand how your code work. I'm not sure how ASP.net declares input field but as long it doesn't automatically encode special characters then my tip should let you insert code.

If for example this is how code of your input looks like (this is input field for HTML site) where is <?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?> its part of the code that inserts your script back into the HTML page (assuming you are saving value into session and redisplay the value in the textbox)

If you're passing argument back to the form by using the URL:

http://www.website.com/index.php?username="><script>alert('hi')</script>

From

<input type="text" name="username" 
value="<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>">

Then the code you want to inject must look like this:

"><script>alert('hi')</script>

Notice "> at the beginning of this code. Basically what it does is to end the value="" by using " tag and then closes input field with >.

So the actual result would be:

<input type="text" name="username" value=""><script>alert('hi')</script>

From there you will be able to insert code such as JavaScript.

13,206

Author by

Justin Skiles

Systems and Software Engineer Blog: http://www.discussiongenerator.com Twitter: https://www.twitter.com/babelshift GitHub: https://www.github.com/babelshift

Updated on June 16, 2022

Comments

Justin Skiles almost 2 years

I have a textbox where I want to allow users the ability to type in potentially dangerous characters such as < and > (this is a mathematical expression data entry field which required me to disable ASP.NET validation on the textbox). The data is stored in a database and retrieved later for display on the page. When I display the data in the textbox, I am setting it like this:

textboxA.Text = expression; where expression comes from the database with the potentially dangerous characters.

Anyway, I tried purposely inserting something like < script>alert('hi') < /script> but I can't get this script to execute when the Text property is set (translates to value attribute in client-side HTML. The result looks like:

< input type="text" value="<script>alert('hi')< /script>">>< /input>

So what gives, is the value attribute safe from injections?

Note: The spaces before each tag in the examples is only for StackOverflow because it deletes tags from questions.
yellowjacket05 about 7 years

I have tried this approach, but only the "> inject is read. The remaining inject appears to be discarded and does not appear in the resulting html.
HelpNeeder about 7 years

must be sanitized by something, perhaps you're not using pure PHP/html/js?
gschambial over 6 years

Hi @Erlend, Can you explain a bit more on this. I have received this as a bug in my security testing.