1

For example I have a handler MyPage.ashx?parameter=1&parameter=2

if someone added to the end of the url <script>alert('Test')</script>

MyPage.ashx?parameter=1&parameter=2<script>alert('Test')</script>

javascript will be executed on client side

Is there anyway to clean url from cross-site scripting?

Michael Born
  • 799
  • 3
  • 15
  • 28
  • Really? How? Are you pasting the parameter 2 value straight into the data returned unescaped? Is it HTML? If so why are you using an ashx, if not why does it execute? – Rup Jun 09 '11 at 14:53
  • yes I'm passing parameter. what is the better way to do it? – Michael Born Jun 09 '11 at 14:59
  • but anyway it doesn't really matter if I url has parameters or not. if someone attach the script – Michael Born Jun 09 '11 at 15:05

2 Answers2

1

The javascript is only being executed because you are outputting user input raw.

If your ashx needs to output parameters you must encode them suitable. Assuming you are creating HTML in your ashx page you need to HtmlEncode the parameter value before you output it. There are different encoding methods for particular types, it's hard to tell which needs to be used without more details of the ashx script.

blowdart
  • 55,577
  • 12
  • 114
  • 149
0

Check ASP.NET Request Validation

In addition to that you should never render request input parameters unescaped or unvalidated back to the client.

Hauzi
  • 133
  • 7
  • I have a handler, it's not applied – Michael Born Jun 09 '11 at 15:02
  • It is, as far as I know. See [how-can-request-validation-be-disabled-for-httphandlers](http://stackoverflow.com/questions/1332400/how-can-request-validation-be-disabled-for-httphandlers) – Hauzi Jun 09 '11 at 15:06
  • Check comments. Joseph said The "validate" attribute in the element has nothing to do with input validation. – Michael Born Jun 09 '11 at 15:09
  • It depends on the ASP.NET Version you're using. See [ASP.NET Request Validation](http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147) – Hauzi Jun 09 '11 at 15:19
  • That's why. As you suggested ASP.NET request validation will work for aspx pages only with ASP.NET < 4.0. You're not supposed to rely on it anyway. You will need to validate/escape URL parts or parameters before you use them as a string for any kind of input or (even worse) output – Hauzi Jun 09 '11 at 15:36