MORE INFORMATION

The Visual InterDev DTCs present unique challenges to developers because some of the code is generated automatically. A developer may not be familiar with the specific implementation of the script objects that are generated and any vulnerabilities of them or how to best address them. This article covers all the known issues with the various DTCs, and it also covers possible options for addressing those vulnerabilities.

The issues fall into two specific categories:

1. DTCs that are scripted to display data from a database, and the database contains input from users.
2. DTCs that are scripted to display or use data that was submitted from the client.

In both cases, proper validation and encoding of output values prevents a DTC-based page from being used in a CSSI attack.

When using any method of a DTC that retrieves information from that DTC (such as .getCaption, .getText, .Value), when the value was set using user supplied information, the resulting string is not HTMLEncoded. Also, some DTCs that can be bound to a database field display the raw information from the database without encoding. As such, you should HTMLEncode these values when displaying to a browser. For example:

Response.Write Server.HTMLEncode(Textbox1.value)
                

If the data is to be used as part of a URL, you should use URLEncode instead. For example:

Response.Write "<A HREF=http://webserver/webapplication/page.asp?data=" & Server.URLEncode(Textbox1.value) & ">Click here!</A>"
                

Because there are multiple ways to encode entrusted scripting code characters, you should explicitly set the character set for the page the browser renders. You can do this by inserting a client-side <META> tag in between the <HEAD> tags of your document. For example:

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset= ISO-LATIN-1">
                

This can also be done from ASP using the Response.Charset property:

<% Response.Charset= "ISO-LATIN-1" %>
                

Here are some common examples:

Response.Write Button1.Value()

Response.Write CheckBox1.getCaption()

Response.Write Label1.getCaption()

Response.Write Listbox1.getText()

Response.Write OptionGroup1.getValue()

Response.Write Textbox1.Value()

Here are possible solutions for these examples:

Response.Write Server.HTMLEncode(Button1.Value())

Response.Write Server.HTMLEncode(CheckBox1.getCaption())

Response.Write Server.HTMLEncode(Label1.getCaption())

Response.Write Server.HTMLEncode(Listbox1.getText())

Response.Write Server.HTMLEncode(OptionGroup1.getValue())

Response.Write Server.HTMLEncode(Textbox1.Value())

The Grid DTC does not HTMLEncode values retrieved from a database. If your database takes user input (for example, a guestbook), you should HTMLEncode your output. This can be done by clicking the the Data tab in the Grid property dialog box, and typing:

=Server.HTMLEncode([fieldname])
                

Where fieldname is the name of each field that is displayed for that column. Most DTCs automatically HTMLEncode data retrieved from a database when displaying; some do not. Those controls should make use of additional code to ensure that output to a client is properly HTMLEncoded.

NOTE: DTCs usually automatically implement the necessary logic to maintain their state during round trips to the server. In the case of the Textbox DTC for example, when the information is round tripped to the server, the Textbox.asp script library page correctly HTMLEncodes the contents of the text box in the process of maintaining the control's state.