2

I am working on Blazor application where I have a form which take user input (form with some text boxes & text area). What is best approach to prevent it from cross site scripting and XSS attacks.

I am using Microsoft.AspNetCore.WebUtilities for other components for encoding and decoding html. Will encoding & decoding on user input suffice and prevent attacks, vulnerabilities etc.

Do I have to use some library such as Gans.XSS.HtmlSanitizer or is there some inbuilt feature in Blazor.

Thanks in Advance.

Ashiquzzaman
  • 5,129
  • 3
  • 27
  • 38
ZKS
  • 817
  • 3
  • 16
  • 31

2 Answers2

2

Since the inputs should be binding to a model inside an <EditForm> component, and that model is a class, can you use the inbuilt <DataAnnotationsValidator /> to get this done using a regular expression? you could build out your Model class with a Regex data annotation on the related properties:

using System.ComponentModel.DataAnnotations;

public class ModelToBindTo()
{
    [RegularExpression(@"[A-Za-z0-9 _.-]*")] //Check/tweak this before use, going from memory 
    public string PropertyToBindInputText { get; set;}
}

By binding to this and using the validator this should restrict any input characters that could get you into trouble, and you could run it against a regex again on the server side if needed to double check before persisting the data or doing anything else with it.

Further details on validator can be found here
Data Annotations reference can be found here

Nik P
  • 2,693
  • 9
  • 21
  • Do not use Regular Expressions (Regex) to validate HTML according to the best practices. I would suggest the following library https://github.com/mganss/HtmlSanitizer which is an active library and updated regularly. – Arani Nov 07 '22 at 11:02
0

Do I have to use some library such as Gans.XSS.HtmlSanitizer or is there some inbuilt feature in Blazor.

The Blazor does not have a built-in feature to sanitizes the inputs, such as InputText. So I create a custom DbCommandInterceptor and sanitizes the all input before I save them into the database such as follow:

public class CorrectCommandInterceptor : DbCommandInterceptor
{

    public override InterceptionResult<DbDataReader> ReaderExecuting(

        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<DbDataReader> result)
    {
        ApplyCorrectCommand(command);
        return result;
    }

    public override ValueTask<InterceptionResult<DbDataReader>> ReaderExecutingAsync(
        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<DbDataReader> result,
        CancellationToken cancellationToken = new CancellationToken())
    {
        ApplyCorrectCommand(command);
        return ValueTask.FromResult(result);
    }

    public override InterceptionResult<int> NonQueryExecuting(
        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<int> result)
    {
        ApplyCorrectCommand(command);
        return result;
    }

    public override ValueTask<InterceptionResult<int>> NonQueryExecutingAsync(
        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<int> result,
        CancellationToken cancellationToken = new CancellationToken())
    {
        ApplyCorrectCommand(command);
        return ValueTask.FromResult(result);
    }

    public override InterceptionResult<object> ScalarExecuting(
        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<object> result)
    {
        ApplyCorrectCommand(command);
        return result;
    }

    public override ValueTask<InterceptionResult<object>> ScalarExecutingAsync(
        DbCommand command,
        CommandEventData eventData,
        InterceptionResult<object> result,
        CancellationToken cancellationToken = new CancellationToken())
    {
        ApplyCorrectCommand(command);
        return ValueTask.FromResult(result);
    }

    private static void ApplyCorrectCommand(DbCommand command)
    {
        command.CommandText = command.CommandText.ApplyCorrect();

        foreach (DbParameter parameter in command.Parameters)
        {
            switch (parameter.DbType)
            {
                case DbType.AnsiString:
                case DbType.AnsiStringFixedLength:
                case DbType.String:
                case DbType.StringFixedLength:
                case DbType.Xml:
                    if (!(parameter.Value is DBNull) && parameter.Value is string)
                    {
                        parameter.Value = Convert.ToString(parameter.Value, CultureInfo.InvariantCulture).ApplyCorrect();
                    }
                    break;
            }
        }
    }
}

And in ApplyCorrect method I call the HtmlSanitizer as follow:

public static string ApplyCorrect(this string input)
    {
        string sanitizedInput = string.Empty;
        if (!string.IsNullOrEmpty(input))
        {
            var sanitizer = new HtmlSanitizer();
            sanitizedInput = sanitizer.Sanitize(input);
        }
        return sanitizedInput;
    }

I recommend that do not use Regular Expressions (Regex) to validate HTML according to the best practices. I would suggest the following library mganss/HtmlSanitizer which is an active library and updated regularly which you also mentioned in your question.

Arani
  • 891
  • 7
  • 18