How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?
The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);
rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);
GLP
Updated on July 05, 2022Comments
-
GLP almost 2 years
We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line
rev.ErrorMessage = msg;
Following is the function in the WebControlAdapterExtender class.
static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression) { if (rev != null) { rev.CssClass = className; rev.ControlToValidate = controlToValidate; rev.ErrorMessage = msg; rev.ValidationExpression = expression; rev.RenderControl(writer); } }
Does anyone have any suggestion how to fix this?