…meie igapäevast IT’d anna meile igapäev…


XSS protection: encode all class string properties easily

Filed under: ASP.NET MVC,Programmeerimine — Sander @ 11:58:40
Tags: , , ,


Protecting your web applications against XSS or cross-site scripting should be a no-brainer for web programmers. The vulnerability is well-known and understood.

And yet, by far the majority of website security vulnerabilities are XSS-related. Either we forget to strip the tags, or whitelist the tags, or encode the string – or in many cases, deem it as an unnecessary precaution.

Don’t do the latter. Always minimize the attack surface, even if you’re doing an intranet web application for six users. There is no such thing as an application or website that is completely secure, but that is what we should aim for, even though the goal is impossible.

To help with encoding, I created a helper class that will automatically help to encode/whitelist/strip the tags from all writeable string properties from a class, be it DTO, viewmodel, entity from EF or elsewhere. Note that this is NOT a complete solution – you need to decide which type of protection to implement, see the newValue variable. Tag whitelist or wholesale HttpUtility.HtmlEncode() are probably your best bets (I’ll try do an article about HTML tag whitelisting next week).

I also encourage you to extend and improve my solution, as there are great many things that could be added – such as allowing for specific XSS protection for different fields (using an attribute, for example), encoding of string in arrays/lists/dictionaries, to work with fields and private properties and so forth.

HtmlEncoder has just one method – EncodeHtml() – with two signatures. You can specify which properties to exclude from XSS protection, ie. say you have a DTO class of a comment – with string properties such as Content, Email, Name, Website and Signature. You want to allow limited HTML in the signature and content, so you don’t want them to be completely encoded and therefore need to exclude them.

  • HtmlEncoder.EncodeHtml(myCommentDto); if you want all of the string properties to be affected.
  • HtmlEncoder.EncodeHtml(myCommentDto, x => x.Content, x => x.Signature); – exclude Content and Signature using lambda expressions. This is the preferred method of excluding properties, as the compiler will catch typos or property name changes. You will not get an error, if you add a non-string property by accident.
  • HtmlEncoder.EncodeHtml(myCommentDto, "Content", "Signature"); – exclude Content and Signature specifying the property names as strings. Note that typos or property name changes mean that the property will still be encoded. You may even want to declare this method private, so other programmers will not be able to use it and introduce subtle, hard to find bugs.

And here is the class. Happy encoding!

  1. /// <summary>
  2. /// Helper to escape HTML in all string fields of a class.
  3. /// </summary>
  4. public static class HtmlEncoder
  5. {
  6.     /// <summary>
  7.     /// Encodes the HTML in all writeable public string properties, which are not included into excludedProperties expressions
  8.     /// Use: HtmlEncoder.EncodeHtml(comment, x => x.CommentBody, x => x.SomeOtherProperty, x => x.CreatedBy, x => x.CreatedDate);
  9.     /// or: HtmlEncoder.EncodeHtml(comment); if you don't need to exclude any fields
  10.     /// Non-string properties will not be affected and no error is thrown if you include them to the excluded properties
  11.     /// All values of the excluded string properties will not be changed
  12.     /// </summary>
  13.     /// <typeparam name="TEntity">The type of the entity.</typeparam>
  14.     /// <param name="entity">The entity.</param>
  15.     /// <param name="excludedProperties">The excluded properties.</param>
  16.     public static void EncodeHtml<TEntity>(TEntity entity, params Expression<Func<TEntity, object>>[] excludedProperties) where TEntity : class
  17.     {
  18.         EncodeHtml(entity, GetExcludedStringPropertyNames(excludedProperties).ToArray());
  19.     }
  21.     /// <summary>
  22.     /// Encodes the HTML in all writeable public string properties, which are not included into excludedProperties
  23.     /// Use: HtmlEncoder.EncodeHtml(comment, "CommentBody", "SomeOtherProperty", "CreatedBy")
  24.     /// All values of the excluded string properties will not be changed
  25.     /// </summary>
  26.     /// <typeparam name="TEntity"></typeparam>
  27.     /// <param name="entity"></param>
  28.     /// <param name="excludedProperties"></param>
  29.     public static void EncodeHtml<TEntity>(TEntity entity, params string[] excludedProperties) where TEntity : class
  30.     {
  31.         var stringProperties = typeof(TEntity).GetProperties(BindingFlags.Instance | BindingFlags.SetProperty | BindingFlags.Public)
  32.             .Where(x => x.PropertyType == typeof(string) && !excludedProperties.Contains(x.Name)).ToList();
  34.         foreach (var propertyInfo in stringProperties)
  35.         {
  36.             var value = (string)propertyInfo.GetValue(entity, null);
  38.             if (!string.IsNullOrWhiteSpace(value))
  39.             {
  40.                 //Apply here a suitable method of encoding – replace, wholesale HtmlEncode(), tag whitelisting or something else
  42.                 var newValue = value.Replace('<', ' ').Replace('>', ' ');
  43.                 //var newValue = HttpUtility.HtmlEncode(value);
  46.                 propertyInfo.SetValue(entity, newValue, null);
  47.             }
  48.         }
  49.     }
  51.     /// <summary>
  52.     /// Get from expressions only writeable string property names, so we know what to exclude.
  53.     /// </summary>
  54.     /// <typeparam name="TEntity"></typeparam>
  55.     /// <param name="expressions"></param>
  56.     /// <returns></returns>
  57.     private static List<string> GetExcludedStringPropertyNames<TEntity>(params Expression<Func<TEntity, object>>[] expressions)
  58.     {
  59.         var propertyNames = new List<string>(expressions.Length);
  61.         //this can be completely LINQ, but is way easier to debug and understand as foreach
  62.         foreach (var expression in expressions)
  63.         {
  64.             if (expression.Body.NodeType == ExpressionType.MemberAccess)
  65.             {
  66.                 var memberExpression = (MemberExpression)expression.Body;
  67.                 var info = memberExpression.Member as PropertyInfo;
  68.                 if (info != null && info.CanWrite && info.PropertyType == typeof(string))
  69.                 {
  70.                     propertyNames.Add(memberExpression.Member.Name);
  71.                 }
  72.             }
  73.         }
  74.         return propertyNames;
  75.     }


Get all constant values of a class using reflection

Filed under: Programmeerimine — Sander @ 18:38:23
Tags: , ,
  1. /// <summary>
  2. /// Return all the values of constants of the specified type
  3. /// </summary>
  4. /// <typeparam name="T">What type of constants to return</typeparam>
  5. /// <param name="type">Type to examine</param>
  6. /// <returns>List of constant values</returns>
  7. public static List<T> GetConstantValues<T>(Type type)
  8. {
  9.     FieldInfo[] fields = type.GetFields(BindingFlags.Public
  10.         | BindingFlags.Static
  11.         | BindingFlags.FlattenHierarchy);
  13.     return (fields.Where(fieldInfo => fieldInfo.IsLiteral
  14.         && !fieldInfo.IsInitOnly
  15.         && fieldInfo.FieldType == typeof(T)).Select(fi => (T)fi.GetRawConstantValue())).ToList();
  16. }

Above is a simple generic method to get all constants of a specific type of a class. I.e. to get all string constants, use:

var allStringConstants = GetConstantValues<string>(typeof(myClass));

To get all int values:

var allIntConstants = GetConstantValues<int>(typeof(myClass));

and so forth.

The inspiration for this method came from http://weblogs.asp.net/whaggard/archive/2003/02/20/2708.aspx


.NET: reflection-based .ToString()

Filed under: Programmeerimine — Sander @ 10:58:49
Tags: , ,

Quite often, I need to see all or some the values of a class instance. In case of a single instance class, VS debugger itself will do the trick, but what if you have an array of class instances, say, mapped results from a database – and you need to see if the values are all there and correct? Going one by one through tens or hundreds of classes in Visual Studio debugger can be… cumbersome.

One way would be to write your own .ToString() override. But what if the class is complex, with dozens of fields or properties? It would mean a whole lot of work to add all of them to the result…

So, System.Reflection to the rescue! Remember that reflection is always more CPU-intensive, so use reflection-based .ToString() only during debugging – or, to be safe, wrap the code in #if DEBUG … #endif precompiler directives.

public override string ToString()
            StringBuilder sb = new StringBuilder();
            Type type = GetType();
            foreach (FieldInfo info in type.GetFields())
                sb.AppendLine(string.Format("{0}: {1}", info.Name, info.GetValue(this)));

            foreach (PropertyInfo info in type.GetProperties())
                sb.AppendLine(string.Format("{0}: {1}", info.Name, info.GetValue(this, null)));

            return sb.ToString();

Järgmine lehekülg »

The Rubric Theme. Create a free website or blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 85 other followers