Article ID: 253120 - View products that this article applies to.
This article was previously published under Q253120
This article has been archived. It is offered "as is" and will no longer be updated.
The following article discusses how to identify and correct Visual InterDev applications that are susceptible to CSSI (Cross-Site Scripting Security Issues). Only input which is not correctly validated or formatted makes your application vulnerable to attack.
This article focuses on Visual InterDev Design Time Controls (DTC) and the Script Library. For general guidelines regarding ASP code, please see the following Knowledge Base article:
(http://support.microsoft.com/kb/253119/EN-US/ )How To Review ASP Code for Vulnerability for CSSI
The Visual InterDev DTCs present unique challenges to developers because some of the code is generated automatically. A developer may not be familiar with the specific implementation of the script objects that are generated and any vulnerabilities of them or how to best address them. This article covers all the known issues with the various DTCs, and it also covers possible options for addressing those vulnerabilities.
The issues fall into two specific categories:
When using any method of a DTC that retrieves information from that DTC (such as .getCaption, .getText, .Value), when the value was set using user supplied information, the resulting string is not HTMLEncoded. Also, some DTCs that can be bound to a database field display the raw information from the database without encoding. As such, you should HTMLEncode these values when displaying to a browser. For example:
If the data is to be used as part of a URL, you should use URLEncode instead. For example:
Because there are multiple ways to encode entrusted scripting code characters, you should explicitly set the character set for the page the browser renders. You can do this by inserting a client-side <META> tag in between the <HEAD> tags of your document. For example:
This can also be done from ASP using the Response.Charset property:
Here are some common examples:
Collapse this tableExpand this table
Here are possible solutions for these examples:
Collapse this tableExpand this table
The Grid DTC does not HTMLEncode values retrieved from a database. If your database takes user input (for example, a guestbook), you should HTMLEncode your output. This can be done by clicking the the Data tab in the Grid property dialog box, and typing:
Where fieldname is the name of each field that is displayed for that column. Most DTCs automatically HTMLEncode data retrieved from a database when displaying; some do not. Those controls should make use of additional code to ensure that output to a client is properly HTMLEncoded.
NOTE: DTCs usually automatically implement the necessary logic to maintain their state during round trips to the server. In the case of the Textbox DTC for example, when the information is round tripped to the server, the Textbox.asp script library page correctly HTMLEncodes the contents of the text box in the process of maintaining the control's state.
For more information, see the following advisory from the Computer Emergency Response Team (CERT) at Carnegie Mellon University:
http://www.cert.org/advisories/CA-2000-02.htmlPlease see the following Knowledge Base articles for further information:
(http://support.microsoft.com/kb/252985/EN-US/ )How To Prevent Cross-Site Scripting Security Issues For Web Applications
(http://support.microsoft.com/kb/253119/EN-US/ )How To Review ASP Code for CSSI Vulnerability
(http://support.microsoft.com/kb/253121/EN-US/ )How To Review MTS/ASP Code for CSSI Vulnerability
(http://support.microsoft.com/kb/253117/EN-US/ )Preventing Internet Explorer and Outlook Express Cross-Site Scripting Security Issues