AppStd/EnvelopeGenerator
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Implementierung von HtmlSanitizer und UrlEncoder zur Absicherung von Benutzereingaben gegen XSS und URL-Manipulationsanfälligkeiten.

Browse Source
This commit is contained in:
Developer 02
2024-05-07 16:26:04 +02:00
parent b19cccdc34
commit d8617093ce
11 changed files with 117 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
EnvelopeGenerator.Web/Controllers/EnvelopeController.cs
View File

@@ -1,10 +1,9 @@

using EnvelopeGenerator.Application.Contracts;
using EnvelopeGenerator.Application.Services;
using EnvelopeGenerator.Application.Services;
using EnvelopeGenerator.Common;
using EnvelopeGenerator.Web.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Text.Encodings.Web;
namespace EnvelopeGenerator.Web.Controllers
{
@@ -13,13 +12,13 @@ namespace EnvelopeGenerator.Web.Controllers
{
private readonly EnvelopeOldService envelopeService;
private readonly ActionService? actionService;
private readonly IEnvelopeService _envelopeService;
private readonly UrlEncoder _urlEncoder;
public EnvelopeController(DatabaseService database, EnvelopeOldService envelope, ILogger<EnvelopeController> logger, IEnvelopeService envService) : base(database, logger)
public EnvelopeController(DatabaseService database, EnvelopeOldService envelope, ILogger<EnvelopeController> logger, UrlEncoder urlEncoder) : base(database, logger)
{
envelopeService = envelope;
actionService = database?.Services?.actionService;
_envelopeService = envService;
_urlEncoder = urlEncoder;
}
[NonAction]
@@ -28,6 +27,8 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeKey = _urlEncoder.Encode(envelopeKey);
// Validate Envelope Key and load envelope
envelopeService.EnsureValidEnvelopeKey(envelopeKey);
@@ -52,6 +53,8 @@ namespace EnvelopeGenerator.Web.Controllers
{
try
{
envelopeKey = _urlEncoder.Encode(envelopeKey);
var authSignature = this.GetAuthenticatedReceiverSignature();
if (authSignature != envelopeKey.GetReceiverSignature())