AntiXss Library, where to inject?

Topics: Core, General
Nov 10, 2011 at 2:06 PM

I'm definitively seeing the security hole in Orchard core and variety of its modules, I think this is a strange mistake that has been made by developers.

I've tried to inject some script code in a comment part and I was really surprised that the Javascript alert message has been displayed and the script fragment was sent without any sanitation, so I'm trying to inject the Microsoft's AntiXss project into the Orchard core. 

Is there any way to intercept any content before being saved or even being displayed?

Nov 10, 2011 at 2:23 PM

You can implement a ContentHandler to catch a variety of operations (save/publish/display/edit).

This would be a good hole to patch up!

Nov 10, 2011 at 4:00 PM

I think there is a straightforward way to implement the sanitation functionality provided by AntiXss by implementing a custom HttpEncoder as described in this article, this custom HttpEncoder after being set in the web.config file, will be used by ASP.NET as the default encoder each time the caller use Html.Encode/Decode 

 <httpRuntime  encoderType="AntiXssEncoder" />

This approach could resolve at a given point some vulnerability.

Nov 10, 2011 at 5:08 PM

It seems that the script that I've tried to inject is executed not because of the comments part didn't encode the content,  but rather the Tracing module didn't sanitize the loaded content.  So the previous approach won't do much more!

Developer
Nov 10, 2011 at 7:14 PM

Comment texts are escaped (with Html.Encode()), although this may not be sufficient. That with Shape Tracing I think is not an issue, as it's a dev tool that should never be enabled in production. It's surprising that ST defeats encoding, though.