vintage_coder
10-18-2006, 03:45 PM
Hi,
I'm currently trying to upgrade the security of our website and have run into a roadblock of sorts I'm hoping to get some help on. I am working on a simple page that is passed a text message and a url as two variables in a query string. Our security team is using a tool called WebInspect that trys to break the code. Right now it has broken this by appending the following to the url
+onmouseover%3dalert(%27spid%27)+
I am reading the url value with the following:
str_url = Server.htmlencode(Request.querystring("REDIRECT_URL"))
I have a javascript function that will scan a text string for illegal characters. To use it I need to convert the vbscript variable to an html variable, which I do using a hidden input statement with the name url:
<input type=hidden name="url" value=<%=str_url%>>
When I use a javascipt alert box to view the value of url it does not show any characters past the end of the actual url that I want, so when I call the javascript function it does not find any problem, so I cannot test this way. My real problem occurs when I try to redirect the page. This is done when a button is clicked, using the following code:
<input type=button name="" value="Click Here" onclick="location.href='<%=str_url%>'" ID="Button1">
This is pretty standard, but in this case, str_url, as I explained before, contains the appended garbage, and I get a javascript "error on page" when the button is clicked. Is there any way to use the form variable url instead of the vbscript variable str_url to assign the redirect path? I tried to use formname.url.value but it used the string literally and did not put the value of the variable into the statement. If anyone has any other suggestions that would be great too. I'm sure this is standard stuff for increasing the security of a web page, but I can't seem to find information on exactly this problem.
Thanks
I'm currently trying to upgrade the security of our website and have run into a roadblock of sorts I'm hoping to get some help on. I am working on a simple page that is passed a text message and a url as two variables in a query string. Our security team is using a tool called WebInspect that trys to break the code. Right now it has broken this by appending the following to the url
+onmouseover%3dalert(%27spid%27)+
I am reading the url value with the following:
str_url = Server.htmlencode(Request.querystring("REDIRECT_URL"))
I have a javascript function that will scan a text string for illegal characters. To use it I need to convert the vbscript variable to an html variable, which I do using a hidden input statement with the name url:
<input type=hidden name="url" value=<%=str_url%>>
When I use a javascipt alert box to view the value of url it does not show any characters past the end of the actual url that I want, so when I call the javascript function it does not find any problem, so I cannot test this way. My real problem occurs when I try to redirect the page. This is done when a button is clicked, using the following code:
<input type=button name="" value="Click Here" onclick="location.href='<%=str_url%>'" ID="Button1">
This is pretty standard, but in this case, str_url, as I explained before, contains the appended garbage, and I get a javascript "error on page" when the button is clicked. Is there any way to use the form variable url instead of the vbscript variable str_url to assign the redirect path? I tried to use formname.url.value but it used the string literally and did not put the value of the variable into the statement. If anyone has any other suggestions that would be great too. I'm sure this is standard stuff for increasing the security of a web page, but I can't seem to find information on exactly this problem.
Thanks