Promoting SoC Through Application Layering

Posted by on
Creating a layered design in an application is a fundamental element of modern software architecture. The goal is to promote the Separation of Concerns (SoC) design principle. Separation of Concerns The ideas behind SoC date back to Dijkstra's 1974 paper "On the role of scientific thought" . In computer science, separation of concerns (sometimes abbreviated as SoC) is a design principle for separating a computer program into distinct sections. Each section addresses a separate concern, a set of information that affects the code of a computer program. A concern can be as general as "the details of the hardware for an application", or as specific as "the name of which class to instantiate". A program that embodies SoC well is called a modular program. Modularity, and hence separation of concerns, is achieved by encapsulating information inside a section of code that has a well-defined interface. - Wikipedia SoC is a broad design principal th...

HttpUtility.HtmlEncode to Prevent XSS and HTML Injection

Posted by on

If you have text input fields in your ASP.NET application, it's important to armor the application against XSS and HTML Injection. ASP.NET does it's best to automatically prevent these kinds of attacks by using request validation, but as developers, we must also do our part also.

When accepting user input in a text field, it's important to call HttpUtility.HtmlEncode to help sanitize the input before displaying it in another area of the application or even persisting it to a database.

There are numerous articles about this issue, here is an older article from Microsoft: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings

Something worth noting is that virtually no educational code samples sanitize the user input. As developers, it's not something we regularly see when learning how to create ASP.NET applications. That's because securing an application is it's own subject and usually outside the scope of many tutorials.

To illustrate the issue, here is a simple Razor Page that has a single text input.

Simple Razor Page Screenshot 

@page
@model IndexModel
@{
    ViewData["Title"] = "Home";
}

<form method="post">
    <div>
        <label for="UserInput">User Input:</label>
        <input type="text" name="UserInput" />
        <input type="submit" value="Save" />
    </div>
</form>

Here is the corresponding .cshtml code that processes the form's submit: 

public void OnPost()
{
	string userInput = Request.Form["userinput"].ToString();
	string encodedUserInput = HttpUtility.HtmlEncode(Request.Form["userinput"]);

	System.Diagnostics.Debug.WriteLine($"userInput: {userInput}");
	System.Diagnostics.Debug.WriteLine($"encodedUserInput: {encodedUserInput}");
}

The output of the debug statements:

Debug.WriteLine Screenshot

You can see that if you don't HtmlEncode the input, it will be saved with the HTML intact. In theory, this HTML could contain harmful code. Using HtmlEncode is simple and can protect against certain exploits, so there is no reason not to use it.

Keep in mind that there are many other aspects to securing an ASP.NET application and this is just one piece of the security pattern that should be implemented. For more information on ASP.NET security, refer to Microsoft's ASP.NET Core security topics.

Source code: https://github.com/jharrell-bits/HtmlEncodeDemo