Implementierung von HtmlSanitizer und UrlEncoder zur Absicherung von Benutzereingaben gegen XSS und URL-Manipulationsanfälligkeiten.

2024-05-07 16:26:04 +02:00
parent b19cccdc34
commit d8617093ce
11 changed files with 117 additions and 47 deletions
--- a/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/EnvelopeLocked.cshtml
@@ -1,25 +1,8 @@
@{
    ViewData["Title"] = "Dokument geschützt";
-    string userLanguage = ViewData["UserLanguage"] as string;
-    string[] languages = ViewData["Languages"] as string[];
+    var userLanguage = ViewData["UserLanguage"] as string;
+    var languages = ViewData["Languages"] as string[];
 }
-@* @if(ViewData["UserLanguage"] == null){
-    <script>
-        fetch('/api/data', {  // Assuming the API endpoint is '/api/data' on the same origin
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            body: JSON.stringify({
-                key: 'value'
-            })
-        })
-        .then(response => response.json())
-        .then(data => console.log(data))
-        .catch(error => console.error('Error:', error));
-    </script>
-} *@
-
 <div class="page container p-5">
    <header class="text-center">
        <div class="icon locked">
@@ -30,18 +13,15 @@
        </div>
        <h1>Dokument erfordert einen Zugriffscode</h1>
    </header>
-
    <section class="text-center">
        <p>Wir haben Ihnen gerade den Zugriffscode an die hinterlegte Email Adresse gesendet. Dies kann evtl. einige Minuten dauern.</p>
    </section>
-
    <section class="d-flex">
        <form id="form-access-code" class="form pl-0 ml-0" method="post">
            <div class="input">
                <label class="visually-hidden" for="access_code">Zugriffscode</label>
                <input type="password" id="access_code" class="form-control" name="access_code" placeholder="Zugriffscode" required="required">
            </div>
-
            <div class="button">
                <button type="submit" class="btn btn-primary">Öffnen</button>
            </div>
@@ -49,15 +29,15 @@
        <form class="form pl-0 ml-0" method="post" action="/lang">
            <div class="dropdown">
                <select class="form-select" name="language" onchange="this.form.submit()">
-                    @foreach(var lang in languages)
-                    {
-                        <option data-icon="flag-icon flag-icon-us" value="@lang">@_localizer[@lang]</option>
-                    }
+                    @if(languages is not null)
+                        foreach(var lang in languages)
+                        {
+                    <option data-icon="flag-icon flag-icon-us" value="@lang.TrySanitize(_sanitizer)">@_localizer[@lang].Value.TrySanitize(_sanitizer)</option>
+                        }
                </select>
            </div>
        </form>
    </section>
-
    <section class="text-center">
        <details>
            <summary>Sie haben keinen Zugriffscode erhalten?</summary>
@@ -65,5 +45,4 @@
        </details>
    </section>
 </div>
-
 <footer class="container" id="page-footer">&copy; SignFlow 2023-2024 <a href="https://digitaldata.works">Digital Data GmbH</a></footer>