Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0FilterFlag not doing its jobFilterFlag not doing its job
Previous
 
Next
New Post
8/29/2008 11:42 AM
 
admlange

Joined: 1/9/2008
Posts: 45

Hi everybody,

 

I have a querystring or form post mapped to variables i can access in my module. Part of the mapping is the get and set of the value to be used within the module. To prevent hacking i added portalsecurity  with some filterflags. The code doing the filtering is:

 


using DotNetNuke.Security;

....
class start etc...

 ......

private string p_Title = Null.NullString;

public string Title
{
get { return p_Title; }
set { p_Title = security.InputFilter(value, PortalSecurity.FilterFlag.NoMarkup | PortalSecurity.FilterFlag.NoAngleBrackets | PortalSecurity.FilterFlag.NoScripting | PortalSecurity.FilterFlag.NoSQL); }
}

Now i enter a script to change the d o c u m e n t . l o c a t i o n . h r e f (without whitespaces of course) to another website enclosed in script tags and it just passes the filter. How is this possible? I was not even encoded or whatsoever. Just plaing javascript was shot into the database and was fired on loading the page

Hope anyone has an idea.

Alexander


 
 
New Post
9/2/2008 1:32 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

Not all of the filters are complementary e.g. the NoSQL filter is designed to strip T-SQL keywords from content being passed to stored procedures, so is intended to be used by itself and not in combination with any other filter. Also, the NoAngleBrackets filter is not intended for most people, it was added per request of a major military entity that was having problems passing a security audit - for some reason their security team did not recognise the difference between htmlencoded content and unencoded content, despite our explanations and demos. Rather than risk getting DotNetNuke banned for no valid reason we added the NoAngleBrackets filter.

In general you use NoSQL for input used in dynamic sql or within stored procedures (via exec or sp_execute), you use NoScript if you want dangerous javascript and html tags used for xss/xsrf to be removed but "safe" html to be allowed, and NoMarkup to htmlencode all content. It's also likely that you'll combine NoMarkup and NoScript to ensure that only safe content stripped of javascript is stored.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
9/5/2008 6:23 PM
 
admlange

Joined: 1/9/2008
Posts: 45

Hi,

 

Thanks for the answer. I did try the noscript option alone as well (and kept adding stuff to try to get it working). It still got my module to redirect to google.com when i hit the page becuase i entered a scriptcommand in an input box to do just that. I enter: <script> document.location.href="www.google.com";</script> and it passed the filter
 
New Post
9/6/2008 7:08 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

I've tested this a number of times and cannot replicate. What version of dnn are you using? The NoScripting filter has been in place since about 1.10, but it was tweaked a little while back. As with all filters it's designed for plaintext, but it was noticed that a lot of module developers were incorrectly passing htmlencoded content to it, so a while back (about 4.6 I think) I added additional code to try and detect if encoded content had been incorrectly passed,decode it, perform the checks and then return it to it's original encoded state. If you're using an old version of dnn, perhaps you are not passing the filter data correctly.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 1
Previous
 
Next
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0FilterFlag not doing its jobFilterFlag not doing its job


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out