Implementierung von HtmlSanitizer und UrlEncoder zur Absicherung von Benutzereingaben gegen XSS und URL-Manipulationsanfälligkeiten.

2024-05-07 16:26:04 +02:00
parent b19cccdc34
commit d8617093ce
11 changed files with 117 additions and 47 deletions
--- a/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
@@ -1,25 +1,8 @@
@{
    ViewData["Title"] = "Dokument geschützt";
-    string userLanguage = ViewData["UserLanguage"] as string;
-    string[] languages = ViewData["Languages"] as string[];
+    var userLanguage = ViewData["UserLanguage"] as string;
+    var languages = ViewData["Languages"] as string[];
 }
-@* @if(ViewData["UserLanguage"] == null){
-    <script>
-        fetch('/api/data', {  // Assuming the API endpoint is '/api/data' on the same origin
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify({
-                key: 'value'
-            })
-        })
-        .then(response => response.json())
-        .then(data => console.log(data))
-        .catch(error => console.error('Error:', error));
-    </script>
-} *@
-
 <div class="page container p-5">
    <header class="text-center">
        <div class="icon locked">
@@ -30,18 +13,15 @@
        </div>
        <h1>Dokument erfordert einen Zugriffscode</h1>
    </header>
-
    <section class="text-center">
        <p>Wir haben Ihnen gerade den Zugriffscode an die hinterlegte Email Adresse gesendet. Dies kann evtl. einige Minuten dauern.</p>
    </section>
-
    <section class="d-flex">
        <form id="form-access-code" class="form pl-0 ml-0" method="post">
            <div class="input">
                <label class="visually-hidden" for="access_code">Zugriffscode</label>
                <input type="password" id="access_code" class="form-control" name="access_code" placeholder="Zugriffscode" required="required">
            </div>
-
            <div class="button">
                <button type="submit" class="btn btn-primary">Öffnen</button>
            </div>
@@ -49,15 +29,15 @@
        <form class="form pl-0 ml-0" method="post" action="/lang">
            <div class="dropdown">
                <select class="form-select" name="language" onchange="this.form.submit()">
-                    @foreach(var lang in languages)
-                    {
-                        <option data-icon="flag-icon flag-icon-us" value="@lang">@_localizer[@lang]</option>
-                    }
+                    @if(languages is not null)
+                        foreach(var lang in languages)
+                        {
+                    <option data-icon="flag-icon flag-icon-us" value="@lang.TrySanitize(_sanitizer)">@_localizer[@lang].Value.TrySanitize(_sanitizer)</option>
+                        }
                </select>
            </div>
        </form>
    </section>
-
    <section class="text-center">
        <details>
            <summary>Sie haben keinen Zugriffscode erhalten?</summary>
@@ -65,5 +45,4 @@
        </details>
    </section>
 </div>
-
 <footer class="container" id="page-footer">&copy; SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>
--- a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
@@ -18,7 +18,7 @@
        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggleExternalContent" aria-controls="navbarToggleExternalContent" aria-expanded="false" aria-label="Toggle navigation">
            <span class="navbar-toggler-icon"></span>
        </button>
-            <div class="navbar-brand me-auto ms-5 envelope-message">@($"Hallo {Model.Name}, {@envelope?.Message}")</div>
+            <div class="navbar-brand me-auto ms-5 envelope-message">@($"Hallo {Model.Name.TrySanitize(_sanitizer)}, {@envelope?.Message.TrySanitize(_sanitizer)}")</div>
        <div class="col-1  p-0 m-0 me-3 d-flex">
            <img src="~/img/digital_data.svg" alt="...">
        </div>
@@ -33,9 +33,9 @@
                </div>
                <div class="col p-0 m-0">
                    <div class="card-body p-0 m-0">
-                        <h5 class="card-title p-0 m-0">@($"{envelope?.Title}")</h5>
-                        <p class="card-text p-0 m-0">@($"Sie haben {(pages.Count())} Briefe zu unterschreiben. Bitte prüfen Sie die Seiten {stPageIndexes}.")</p>
-                            <p class="card-text p-0 m-0"><small class="text-body-secondary">Erstellt am @envelope?.AddedWhen von @sender?.Prename @sender?.Name. Sie können den Absender über <a href="mailto:@(sender?.Email)?subject=@(envelope?.Title)&body=Sehr%20geehrter%20@(sender?.Prename)%20@(sender?.Name),%0A%0A%0A">@sender?.Email</a> kontaktieren.</small></p>
+                        <h5 class="card-title p-0 m-0">@($"{envelope?.Title.TrySanitize(_sanitizer)}")</h5>
+                        <p class="card-text p-0 m-0">@($"Sie haben {(pages.Count())} Briefe zu unterschreiben. Bitte prüfen Sie die Seiten {stPageIndexes.TrySanitize(_sanitizer)}.")</p>
+                        <p class="card-text p-0 m-0"><small class="text-body-secondary">Erstellt am @envelope?.AddedWhen von @sender?.Prename.TrySanitize(_sanitizer) @sender?.Name.TrySanitize(_sanitizer). Sie können den Absender über <a href="mailto:@(sender?.Email.TryEncode(_encoder))?subject=@(envelope?.Title.TryEncode(_encoder))&body=Sehr%20geehrter%20@(sender?.Prename.TryEncode(_encoder))%20@(sender?.Name.TryEncode(_encoder)),%0A%0A%0A">@sender?.Email.TryEncode(_encoder)</a> kontaktieren.</small></p>
                    </div>
                </div>
            </div>
@@ -66,8 +66,10 @@

    var documentBase64String = Convert.ToBase64String(documentBytes);

+    var envelopeKey = ViewData["EnvelopeKey"] as string;
+
    <script>
-        var base64String = "@Html.Raw(documentBase64String)";
+        var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
        var byteCharacters = atob(base64String);
        var byteNumbers = new Array(byteCharacters.length);
        for (var i = 0; i < byteCharacters.length; i++) {
@@ -76,9 +78,9 @@
        var byteArray = new Uint8Array(byteNumbers);
        var documentArrayBuffer = byteArray.buffer;

-        var envelopeResponse = @Html.Raw(envelopeResponseJson);
+        var envelopeResponse = @Html.Raw(envelopeResponseJson.TrySanitize(_sanitizer));
        document.addEventListener("DOMContentLoaded", async () => {
-            const app = new App("#app", "@ViewData["EnvelopeKey"]", envelopeResponse, documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
+            const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", envelopeResponse, documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
            await app.init();
        })
    </script>
--- a/EnvelopeGenerator.Web/Views/TestView/DebugEnvelopes.cshtml
+++ b/EnvelopeGenerator.Web/Views/TestView/DebugEnvelopes.cshtml
@@ -31,7 +31,7 @@
                        <section>
                            <article class="envelope">
                                <strong><a href="/EnvelopeKey/@encodeEnvelopeKey(envelope)">@envelope.Title</a></strong>
-                                <div><strong>Ersteller</strong> @envelope.User.Email</div>
+                                <div><strong>Ersteller</strong> @envelope.User.Email.TrySanitize(_sanitizer)</div>
                                <div><strong>Datum</strong> @envelope.AddedWhen</div>
                            </article>
                        </section>
--- a/EnvelopeGenerator.Web/Views/_ViewImports.cshtml
+++ b/EnvelopeGenerator.Web/Views/_ViewImports.cshtml
@@ -3,4 +3,6 @@
@using Microsoft.Extensions.Localization;
@using EnvelopeGenerator.Application.Resources;
@inject IStringLocalizer<Resource> _localizer;
+@inject System.Text.Encodings.Web.UrlEncoder _encoder
+@inject Ganss.Xss.HtmlSanitizer _sanitizer
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers