Implementierung von HtmlSanitizer und UrlEncoder zur Absicherung von Benutzereingaben gegen XSS und URL-Manipulationsanfälligkeiten.

2024-05-07 16:26:04 +02:00
parent b19cccdc34
commit d8617093ce
11 changed files with 117 additions and 47 deletions
--- a/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
+++ b/EnvelopeGenerator.Web/Views/Home/ShowEnvelope.cshtml
@@ -18,7 +18,7 @@
        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggleExternalContent" aria-controls="navbarToggleExternalContent" aria-expanded="false" aria-label="Toggle navigation">
            <span class="navbar-toggler-icon"></span>
        </button>
-            <div class="navbar-brand me-auto ms-5 envelope-message">@($"Hallo {Model.Name}, {@envelope?.Message}")</div>
+            <div class="navbar-brand me-auto ms-5 envelope-message">@($"Hallo {Model.Name.TrySanitize(_sanitizer)}, {@envelope?.Message.TrySanitize(_sanitizer)}")</div>
        <div class="col-1  p-0 m-0 me-3 d-flex">
            <img src="~/img/digital_data.svg" alt="...">
        </div>
@@ -33,9 +33,9 @@
                </div>
                <div class="col p-0 m-0">
                    <div class="card-body p-0 m-0">
-                        <h5 class="card-title p-0 m-0">@($"{envelope?.Title}")</h5>
-                        <p class="card-text p-0 m-0">@($"Sie haben {(pages.Count())} Briefe zu unterschreiben. Bitte prüfen Sie die Seiten {stPageIndexes}.")</p>
-                            <p class="card-text p-0 m-0"><small class="text-body-secondary">Erstellt am @envelope?.AddedWhen von @sender?.Prename @sender?.Name. Sie können den Absender über <a href="mailto:@(sender?.Email)?subject=@(envelope?.Title)&body=Sehr%20geehrter%20@(sender?.Prename)%20@(sender?.Name),%0A%0A%0A">@sender?.Email</a> kontaktieren.</small></p>
+                        <h5 class="card-title p-0 m-0">@($"{envelope?.Title.TrySanitize(_sanitizer)}")</h5>
+                        <p class="card-text p-0 m-0">@($"Sie haben {(pages.Count())} Briefe zu unterschreiben. Bitte prüfen Sie die Seiten {stPageIndexes.TrySanitize(_sanitizer)}.")</p>
+                        <p class="card-text p-0 m-0"><small class="text-body-secondary">Erstellt am @envelope?.AddedWhen von @sender?.Prename.TrySanitize(_sanitizer) @sender?.Name.TrySanitize(_sanitizer). Sie können den Absender über <a href="mailto:@(sender?.Email.TryEncode(_encoder))?subject=@(envelope?.Title.TryEncode(_encoder))&body=Sehr%20geehrter%20@(sender?.Prename.TryEncode(_encoder))%20@(sender?.Name.TryEncode(_encoder)),%0A%0A%0A">@sender?.Email.TryEncode(_encoder)</a> kontaktieren.</small></p>
                    </div>
                </div>
            </div>
@@ -66,8 +66,10 @@

    var documentBase64String = Convert.ToBase64String(documentBytes);

+    var envelopeKey = ViewData["EnvelopeKey"] as string;
+
    <script>
-        var base64String = "@Html.Raw(documentBase64String)";
+        var base64String = "@Html.Raw(documentBase64String.TrySanitize(_sanitizer))";
        var byteCharacters = atob(base64String);
        var byteNumbers = new Array(byteCharacters.length);
        for (var i = 0; i < byteCharacters.length; i++) {
@@ -76,9 +78,9 @@
        var byteArray = new Uint8Array(byteNumbers);
        var documentArrayBuffer = byteArray.buffer;

-        var envelopeResponse = @Html.Raw(envelopeResponseJson);
+        var envelopeResponse = @Html.Raw(envelopeResponseJson.TrySanitize(_sanitizer));
        document.addEventListener("DOMContentLoaded", async () => {
-            const app = new App("#app", "@ViewData["EnvelopeKey"]", envelopeResponse, documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
+            const app = new App("#app", "@envelopeKey.TrySanitize(_sanitizer)", envelopeResponse, documentArrayBuffer, "@ViewData["PSPDFKitLicenseKey"]");
            await app.init();
        })
    </script>