{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 在下西门庆 的问题《HTML Tag injection in asp.net》','https://www.manongdao.com/q-832462.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My security team reported one html tag injection security issue for the below code
function ClosePopUp(objBhID) {
var pageName = window.location.pathname;
var modalPopupBehavior = $find(objBhID);
if (modalPopupBehavior != null && modalPopupBehavior != 'undefined') {
modalPopupBehavior.hide();
}
if (objBhID == 'bhThankMsg' && pageName == '/Projects/Comm.aspx') {
var objPartnerID = '<%=Request.QueryString["partnerid"]%>';
if (objPartnerID != 'undefined' && objPartnerID != null && objPartnerID != '') {
window.location = '/Projects/Comm.aspx?Id=<%=Request.QueryString["ID"]%>&partnerid=<%=Request.QueryString["partnerid"]%>';
}
else {
window.location = '/Projects/Comm.aspx?Id=<%=Request.QueryString["ID"]%>';
}
}
}
My security team reported the below issue
HTML tag injection vulnerabilities were identified on this web application. HTML tag injections are used to aid in Cross-Site Request Forgeries and phishing attacks against third-party web sites, and can often double as Cross-Site Scripting vulnerabilities. Recommendations include implementing secure programming techniques that ensure proper filtration of user-supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.
My requirement is i don't want to allow any user or hacker to inject unnecessary data, how to achieve this ?
Although the other answer will work in this case for URLs, because the built in URL encoding happens to encode html and Javascript escape characters, this is not a complete solution for using dynamic server-side values within Javascript. Therefore I post my answer here so hopefully no one falls into the trap of using the wrong encoding and produces something insecure.
The OWASP rule is:
However, an easier, and imo simpler solution is to never put server-side data within any script tag or script enabled attribute at all. Use HTML5 data attributes, then you can insert your data HTML encoded into a safer HTML context.
I see you appear to be using JQuery. Why not do the following, then you can use the built-in ASP.NET encoding functions?
Or simply
on newer versions of .NET.
Your code then becomes: