Aspnetcore.docs: JQuery and XSS

Created on 10 Sep 2018 · 10Comments · Source: dotnet/AspNetCore.Docs

I know the focus is on the API, but when I put this together and added the JQuery front end, I noticed that the todo name is not being encoded and is vulnerable to cross-site scripting. This has to do with the technique of just building up the table's rows using concatenation and appending it as HTML. While not as smooth, something like this may work to build that table and encode the name.

var tr = $('<tr>');
$('<td><input disabled="true" type="checkbox" ' + checked + '></td>').appendTo(tr);
var td = $('<td>');
td.text(item.name);
td.appendTo(tr);
$('<td><button onclick="editItem(' + item.id + ')">Edit</button></td>' +
'<td><button onclick="deleteItem(' + item.id + ')">Delete</button></td>').appendTo(tr);
tr.appendTo($('#todos'));

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 583ae3e7-5915-f22b-e54c-6c100cf2a7da
Version Independent ID: 95f2549e-29f9-e31a-b4d0-432b971643ff
Content: Create a Web API with ASP.NET Core and Visual Studio
Content Source: aspnetcore/tutorials/first-web-api.md
Product: aspnet-core
GitHub Login: @Rick-Anderson
Microsoft Alias: riande

Impact PR P1 P2 Source - Docs.ms

Source

jamesjardine

All 10 comments

@jamesjardine thanks.

Rick-Anderson on 11 Sep 2018

@scottaddie please review. Should I bump this up to @blowdart ?

Rick-Anderson on 1 Nov 2018

👍1

@MikeWasson FYI.

Rick-Anderson on 1 Nov 2018

@Rick-Anderson Let's have Barry weigh in on this.

scottaddie on 1 Nov 2018

@blowdart customer discovered vulnerable to cross-site scripting. Please comment and set priority.

Rick-Anderson on 1 Nov 2018

Oh dear. Yes, you could probably optimise a bit more;

        var $tr = $('<tr>').append(
            $('<td>').text(...),
            $('<td>').text(item.name),
            $('<td>').text(...)

blowdart on 1 Nov 2018

👍1

@fiyazbinhasan can you fix this JavaScript?

Rick-Anderson on 1 Nov 2018

@Rick-Anderson sure! @blowdart already provided the solution. I'll fix the getdata() method by tomorrow.

fiyazbinhasan on 2 Nov 2018

👍1

@Rick-Anderson @blowdart @jamesjardine please check https://github.com/aspnet/Docs/pull/9415

fiyazbinhasan on 3 Nov 2018

Fixed in https://github.com/aspnet/Docs/pull/9415.

scottaddie on 5 Nov 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Template Configure method is out of date.

serpent5 · 3Comments

Not providing a version for Microsoft.AspNetCore.App results in a package version error

cocowalla · 3Comments

Add API tests to Integration tests

AnthonyMastrean · 3Comments

.Net Type DateTime correlates to input type="datetime-local"

StevenTCramer · 3Comments

400 "The input was not valid." on POST request

royshouvik · 3Comments