0

I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for.

The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every site we manage.

This is the crux of the problem. The current code pulls a variable from the query string to create the "continue" link in the new window. This obviously creates many problems in the form of cross site scripting.

How do I approach this update to eliminate most (if not all) of the cross site scripting issues using vbScript/ASP.

The code I'm using is below.

<%@ Language = vbScript %>
<% Option Explicit %>

<%
Dim strLink
strLink = Request.QueryString("site")
strLink = Replace(strLink, "<", "&lt")
strLink = Replace(strLink, ">", "&gt;")
strLink = Replace(strLink, chr(34), "")
strLink = Replace(strLink, "script", "", 1, -1, 1)
strLink = Replace(strLink, "onclick", "", 1, -1, 1)
strLink = Replace(strLink, "ondblclick", "", 1, -1, 1)
strLink = Replace(strLink, "onmousedown", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseover", "", 1, -1, 1)
strLink = Replace(strLink, "onmousemove", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseout", "", 1, -1, 1)
strLink = Replace(strLink, "onkeypress", "", 1, -1, 1)
strLink = Replace(strLink, "onkeydown", "", 1, -1, 1)
strLink = Replace(strLink, "onkeyup", "", 1, -1, 1)
strLink = Replace(strLink, "onfocus", "", 1, -1, 1)
strLink = Replace(strLink, "onblur", "", 1, -1, 1)
strLink = Replace(strLink, "&&", "")
strLink = Replace(strLink, "##", "")
strLink = Replace(strLink, "&#", "")
%>

<a href="<%= strLink %>">Continue</a>
Nip
  • 712
  • 1
  • 6
  • 15
  • If the link is already on your site, why would you need to sanitize it? – Diodeus - James MacFarlane Oct 23 '08 at 19:56
  • The problem isn't that the links we add are "bad" it's that we need a gateway page that will accept ANY URL passed in and then provide the needed disclaimer and forward the user along if they continue with the action of leaving the site. (It's a financial site so lot's of disclaimers and legal "stuff" to deal with). So the overall issue is that anyone can pass a URL (or "bad" script) to the page and potentially create an XSS problem. – Nip Sep 09 '09 at 04:33

3 Answers3

2

You need to implement an approach that follows the concept of "Positive Security Model". You should parse the "site" variable and make sure it conforms explicitly to what is allowed, rather than write something that looks for what should be disallowed. This will make your approach much more resilient to attacks, especially unanticipated ones.

I suggest writing a regex (or ask how to write such a regex on stackoverflow).

Also, while the web service posted by Michael is pretty cool, you should evaluate if it is acceptable or not to take a dependency on such a thing.

Bryan Batchelder
  • 3,627
  • 21
  • 17
  • I really appreciated the points you made, but on re-examining my situation I've realized that the web service listed below is really what I needed. However, your points above are most excellent and helped me re-evaluate my overall approach to the problem. – Nip Sep 09 '09 at 04:30
1

This is what I recommend for HTML sanitizing -

HTML Whitelist is the latest in the "cool little Python Web service thrown up on App Engine" by my good colleague DeWitt Clinton.

It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version.

http://html-whitelist.appspot.com/

  • While I originally appreciated Bryan Batchelder's response as the best answer for me, I've come to realize that the web service listed in this answer actually provides me with the answer to my question. I will say that Bryan's response is the broader approach solution and is more applicable to more users. – Nip Sep 09 '09 at 04:28
0

You could add logic to continue page to ensure that it is only called by a page on one of your sites either based on url or IP address. You could also pass a time and hashed code through for added security.

Toby Mills
  • 996
  • 2
  • 9
  • 13