Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsForumForumIs the subject input safely filtered or encoded?Is the subject input safely filtered or encoded?
Previous
 
Next
New Post
1/2/2006 3:03 PM
 
Michael Levy

www.wildvoice.com
Joined: 6/5/2005
Posts: 120

Ok, I've read http://forums.asp.net/1/388929/ShowPost.aspx#388929 and looked over PortalSecurity's InputFilter method. It seems that most DNN modules assume that users with Edit permission are trusted.

I checked the Forum Module since that is a module that expects input from many users (who may not all be trusted). Forum Module calls InputFilter for the body of the message, but not the Subject. So a subject like

<SCRIPT>alert('hello');</SCRIPT>

can be entered with surpising results.

I tested this on Forum version 03.10.04.

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
New Post
1/2/2006 6:57 PM
 
Chris Paterra


Joined: 4/5/2003
Posts: 4377
The module does use the cores security.  I verified this is an issue on my local install.  This is an area where nobody inside the team has given a strong stance on.  There are so many things to filter on and me filtering before sending through the core filter is not the solution either. 
Chris Paterra

Get direct answers to your questions in the Community Exchange.
 
New Post
1/2/2006 8:48 PM
 
Michael Levy

www.wildvoice.com
Joined: 6/5/2005
Posts: 120

Actually, I think this is easy to fix. On the Body text you call

objSecurity.InputFilter(_Body, PortalSecurity.FilterFlag.NoScripting)

to filter out any <SCRIPT> or other tags. You cannot HTML encode here because the user may be giving you formated input and you want to preserve it. So, your best option is to accept HTML but filter out nasty stuff.

On the Subject text box, you just take the input and later send it out. Since you really don't want to allow users to provide HTML formating in the subject, you can simply call HttpUtility.HtmlEncode before displaying the subject. This will escape any special HTML characters (like converting < to &lt;) and make it safe to be displayed in a literal or label control.

When presenting the text to be edited in a textbox you don't have to encode it.

I'm not sure what Core security you expect to filter this. I'm pretty sure you have to do it yourself.

 

 

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
New Post
1/3/2006 2:40 PM
 
Michael Levy

www.wildvoice.com
Joined: 6/5/2005
Posts: 120

I wrote up what I learned on this issue - http://www.accidentalarchitect.com/Home/tabid/68/EntryID/19/Default.aspx

And, I created a little demo ASPX page to show the results of various encodings and filtering - http://www.accidentalarchitect.com/encode.aspx

 

I didn't mean to pick on the Forum module, but it appears to me that many of the standard modules for DNN were built with the assumption that users who can edit the module are trusted. Forum was just the first one I checked.

WildVoice.com Michael Levy - Are you ready to be heard? WildVoice.com
 
New Post
1/8/2006 3:41 AM
 
Chris Paterra


Joined: 4/5/2003
Posts: 4377

Thanks, that was an interesting read.  Instead of taking your advice verbatim, I went and ran the subjects across the XSSController class built into the forum module.  This will handle all those items and allow for control on others from here.  The body of the posts are already being run against the Portal Security you mentioned two posts below.  I am still submitting the module for a full security review, but through my tests after this change it seems this problem is solved. 

Chris Paterra

Get direct answers to your questions in the Community Exchange.
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsForumForumIs the subject input safely filtered or encoded?Is the subject input safely filtered or encoded?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out