Skip to content
This repository has been archived by the owner on Jan 23, 2024. It is now read-only.

HTML injection in KnockoutContext.Apply(Model) and Initialize(Model) #59

Open
mayorovp opened this issue Feb 13, 2018 · 0 comments
Open

HTML injection in KnockoutContext.Apply(Model) and Initialize(Model) #59

mayorovp opened this issue Feb 13, 2018 · 0 comments

Comments

@mayorovp
Copy link

mayorovp commented Feb 13, 2018
edited
Loading

Example form to reproduce:

@model WebApplication.Models.DefaultModel
@{
    var ko = new KnockoutContext<WebApplication.Models.DefaultModel>(ViewContext);
}

<form>
    @ko.Html.TextBox(m => m.Foo)
    @ko.Html.Span(m => m.Foo)
    <button type="submit">Send</button>
</form>

@ko.Apply(Model)

model:

public class DefaultModel
{
    public string Foo { get; set; }
}

action:

[ValidateInput(false)] // turn off XSS protection in ASP.NET
public ActionResult Index(Models.DefaultModel model)
{
    Response.AddHeader("X-XSS-Protection", "0"); // turn off XSS protection in browser

    return View(model ?? new Models.DefaultModel());
}

Steps to reproduce:

  1. Type </script><script>alert('XSS');</script><script> into textbox
  2. press Enter

Vulnerable line:

knockout-mvc/PerpetuumSoft.Knockout/KnockoutContext.cs

Line 61 in 959da99

sb.AppendLine(string.Format("var {0}Js = {1};", ViewModelName, json));

Possible solution:

sb.AppendLine(string.Format("var {0}Js = {1};", ViewModelName, json.Replace("<", "\\u003c")));

Workaround:

@{ 
    var script = ko.Apply(Model).ToString();
    var p1 = script.IndexOf('>');
    var p2 = script.LastIndexOf('<');
    WriteLiteral(script.Substring(0, p1) + script.Substring(p1, p2 - p1).Replace("<", "\\u003c") + script.Substring(p2));
}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mayorovp