This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Microsoft XML > November 2004 > Preventing XSS (Cross Site Scripting) with XSL / XSLT
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Preventing XSS (Cross Site Scripting) with XSL / XSLT
|
|
| fm@newsgroups.nospam 2004-11-12, 7:15 pm |
| We want to make sure that information we are displaying to our web clients is
safe from scripts that may have been snuck into the database through other
systems.
What I am doing is having the database field contain a script block which
gets written to an XML document and then transformed to HTML in a <td></td>
table.
I have tried the following variants and none of them execute the script on
the browser (which is what I want).
<script>alert('hello');</script>
<![CDATA[<script>alert("hi SECOND");</script>]]>
<xsl:comment>
<script>alert('hello frm xslt');</script>
</xsl:comment>
Am I safe with XSLT or can someone give me a few script examples that will
sneak through that I can work on blocking?
If it makes a difference, XMLSPY is used to build the XSLT file. The XML
document is created and transformed with Visual Studio 2003 using VB.NET.
Thanks!
fm
| |
| Kevin Yu [MSFT] 2004-11-13, 7:14 am |
| Hi fm,
First of all, I would like to confirm my understanding of your issue. From
your description, I understand that you need to use XSLT to put some script
as text to a table cell. If there is any misunderstanding, please feel free
to let me know.
Here I have written an example for you. You can try using the style sheet
and write according to your reqirement. HTH.
Data.xml
=======================================
<?xml version="1.0" encoding="utf-8" ?> <collection> <book>
<title>Unearth</title> <year>1974</year> <publisher>Living Hand</publisher>
<script><![CDATA[<script> alert('hello world!');</script>]]></script>
</book>
<book>
<title>White Spaces</title>
<year>1980</year>
<publisher>Station Hill</publisher>
<script><![CDATA[<script> alert('hello world!');</script>]]></script>
</book>
<book>
<title>The Invention of Solitude</title> <year>1982</year> <publisher>Sun
Press</publisher> <script><![CDATA[<script> alert('hello
world!');</script>]]></script> </book>
<book>
<title>Squeeze Play: A Novel</title>
<year>1982</year>
<publisher>Alpha-Omega</publisher>
<script><![CDATA[<script> alert('hello world!');</script>]]></script>
</book>
<book>
<title>In the Country of Last Things </title> <year>1987</year>
<publisher>Viking</publisher> <script><![CDATA[<script> alert('hello
world!');</script>]]></script> </book>
<book>
<title>The Music of Chance</title>
<year>1990</year>
<publisher>Viking</publisher>
<script><![CDATA[<script> alert('hello world!');</script>]]></script>
</book>
<book>
<title>The New York Trilogy</title>
<year>1990</year>
<publisher>Penguin Books</publisher>
<script><![CDATA[<script> alert('hello world!');</script>]]></script>
</book> </collection> ==============================================
Xslt file
==================================================
<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<head>
<title></title>
<link rel="stylesheet" href="1.css" type="text/css"/>
</head>
<body>
<table width="100%" align="center">
<xsl:for-each select="collection/book" >
<tr>
<TD>
<table border="1">
<tr>
<td>Title:</td>
<td><xsl:value-of select="title"/></td>
</tr>
<tr>
<td>Year of first publication:</td>
<td><xsl:value-of select="year/."/></td>
</tr>
<tr>
<td>Publisher:</td>
<td><xsl:value-of select="publisher/."/></td>
</tr>
<tr>
<td>Script:</td>
<td><xsl:value-of select="script/."/></td>
</tr>
</table>
</TD>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
| |
| fm@newsgroups.nospam 2004-11-16, 7:11 pm |
| Hi Kevin,
That is not exactly what I am trying to do.
I am trying to make sure that someone can't accidently or maliciously store
script in a database field that would get rendered out to a client and
executed on their browser.
So far as I can tell, if I run XML through XSL then I am allright. However,
if syntax exists, I am looking for that syntax so I can figure out how to
disarm it.
"Kevin Yu [MSFT]" wrote:
> Hi fm,
>
> First of all, I would like to confirm my understanding of your issue. From
> your description, I understand that you need to use XSLT to put some script
> as text to a table cell. If there is any misunderstanding, please feel free
> to let me know.
>
> Here I have written an example for you. You can try using the style sheet
> and write according to your reqirement. HTH.
>
> Data.xml
> =======================================
> <?xml version="1.0" encoding="utf-8" ?> <collection> <book>
> <title>Unearth</title> <year>1974</year> <publisher>Living Hand</publisher>
> <script><![CDATA[<script> alert('hello world!');</script>]]></script>
> </book>
>
> <book>
> <title>White Spaces</title>
> <year>1980</year>
> <publisher>Station Hill</publisher>
> <script><![CDATA[<script> alert('hello world!');</script>]]></script>
> </book>
>
> <book>
> <title>The Invention of Solitude</title> <year>1982</year> <publisher>Sun
> Press</publisher> <script><![CDATA[<script> alert('hello
> world!');</script>]]></script> </book>
>
> <book>
> <title>Squeeze Play: A Novel</title>
> <year>1982</year>
> <publisher>Alpha-Omega</publisher>
> <script><![CDATA[<script> alert('hello world!');</script>]]></script>
> </book>
>
> <book>
> <title>In the Country of Last Things </title> <year>1987</year>
> <publisher>Viking</publisher> <script><![CDATA[<script> alert('hello
> world!');</script>]]></script> </book>
>
> <book>
> <title>The Music of Chance</title>
> <year>1990</year>
> <publisher>Viking</publisher>
> <script><![CDATA[<script> alert('hello world!');</script>]]></script>
> </book>
>
> <book>
> <title>The New York Trilogy</title>
> <year>1990</year>
> <publisher>Penguin Books</publisher>
> <script><![CDATA[<script> alert('hello world!');</script>]]></script>
> </book> </collection> ==============================================
>
> Xslt file
> ==================================================
> <?xml version="1.0" encoding="UTF-8" ?>
>
> <xsl:stylesheet version="1.0"
> xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
>
> <xsl:template match="/">
> <html>
> <head>
> <title></title>
> <link rel="stylesheet" href="1.css" type="text/css"/>
> </head>
> <body>
> <table width="100%" align="center">
>
> <xsl:for-each select="collection/book" >
> <tr>
> <TD>
> <table border="1">
> <tr>
> <td>Title:</td>
> <td><xsl:value-of select="title"/></td>
> </tr>
> <tr>
> <td>Year of first publication:</td>
> <td><xsl:value-of select="year/."/></td>
> </tr>
> <tr>
> <td>Publisher:</td>
> <td><xsl:value-of select="publisher/."/></td>
> </tr>
> <tr>
> <td>Script:</td>
> <td><xsl:value-of select="script/."/></td>
> </tr>
> </table>
> </TD>
> </tr>
>
> </xsl:for-each>
> </table>
> </body>
> </html>
> </xsl:template>
> </xsl:stylesheet>
>
> Kevin Yu
> =======
> "This posting is provided "AS IS" with no warranties, and confers no
> rights."
>
>
| |
| Kevin Yu [MSFT] 2004-11-17, 4:15 am |
| Hi fm,
If the string in the script contains "]]>", it will stop the CDATA block
and the script after that will be executed, I think.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
| |
| fm@newsgroups.nospam 2004-11-19, 12:18 pm |
| I tried this and it would bring an error up on the transformation. So I am
not sure where to go from here. It is nice to know that XSLT goes a long way
to preventing active script. It would be nice to know it is 100% and if not
then what does get through.
"Kevin Yu [MSFT]" wrote:
> Hi fm,
>
> If the string in the script contains "]]>", it will stop the CDATA block
> and the script after that will be executed, I think.
>
> Kevin Yu
> =======
> "This posting is provided "AS IS" with no warranties, and confers no
> rights."
>
>
| |
| Kevin Yu [MSFT] 2004-11-20, 4:15 am |
| Hi fm,
Whether the "]]>" will do harm to the XML and XSLT depends on how the Xml
was formed. If the content of CDATA block is get from a database, it might
make the XML invalid. That is my concern. HTH.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
| |
| fm@newsgroups.nospam 2004-11-24, 7:17 pm |
| Kevin,
That is what I am trying to prove. I am not trying to store script in a
database. I am trying to prevent script that maliciously was entered into the
database from getting to a client browser and executing.
We don't have control over the data going into the database. Can we assume
that if we wrap all fields from the database with CDATA tags before assigning
the values to the DOM object that any potential script will be rendered
inactive?
I am not concerned about the transform failing, I am concerned about a
hacker writing a string that makes it through the transform but ends up
executing javascript in a client's browser.
"Kevin Yu [MSFT]" wrote:
> Hi fm,
>
> Whether the "]]>" will do harm to the XML and XSLT depends on how the Xml
> was formed. If the content of CDATA block is get from a database, it might
> make the XML invalid. That is my concern. HTH.
>
> Kevin Yu
> =======
> "This posting is provided "AS IS" with no warranties, and confers no
> rights."
>
>
| |
| Kevin Yu [MSFT] 2004-11-25, 4:17 am |
| Hi fm,
Thanks for your reply. Since we cannot control when data are stored into
the database, the only thing we can do is to validate these data before put
them to the DOM document. I suggest you read them one by one to a string
object. We can validate either by checking the substring or using Regular
Expression with some rules.
Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
| |
| Neil Smith [MVP Digital Media] 2004-11-25, 7:15 am |
| I haven't got the whole thread here to refer to. But if its the case
you need to "Safe" output from the DB, probably you can think about
languages like PHP :
PHP has a strip_tags function which you can apply to fields extracted
from your database before you build your XML. I'm sure ASP.NET etc
will have similar functions or library objects which can achieve this.
PHP's strip_tags allows you to specify the precise set of tags which
are removed from content (eg <script>, <a>, <form>, <object> etc)
which would have the effect you desire.
Of course doing this on each pass is a performance hit, you'd be
better doing this once at the time content is inserted (I realise
you've said you can't do this, but it's more optimal if you can)
HTH
Cheers - Neil
On Wed, 24 Nov 2004 11:59:06 -0800, "fm@newsgroups.nospam"
<fm@newsgroups.nospam> wrote:
[color=darkred]
>Kevin,
>
>That is what I am trying to prove. I am not trying to store script in a
>database. I am trying to prevent script that maliciously was entered into the
>database from getting to a client browser and executing.
>
>We don't have control over the data going into the database. Can we assume
>that if we wrap all fields from the database with CDATA tags before assigning
>the values to the DOM object that any potential script will be rendered
>inactive?
>
>I am not concerned about the transform failing, I am concerned about a
>hacker writing a string that makes it through the transform but ends up
>executing javascript in a client's browser.
>
>"Kevin Yu [MSFT]" wrote:
>
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|