angularjs injection problem

Go to solution

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

pbl_dk 150 posts 551 karma points

Apr 19, 2018 @ 08:38
0

AngularJS Injection problem
Hi there.

We are using a form field for search on the website. (umbraco 7.9.2) Testers came back with a problem, since its possible to execute javascript in the form field. It's AngularJS itself.

If one writes: {{constructor.constructor('alert(1)')()}} it's executed in the browser.

I have tried to make a kind of filter in angularjs, but I was wondering if anyone know if it would be possible to fix this backend/server site/razor/C#. ??
```
$scope.intrusionval = function () {
  var _repl = $scope.formval;
  _repl = _repl.replace(/{/gi, "");
  _repl = _repl.replace(/}/gi, "");
  _repl = _repl.replace(/&/gi, "");
  _repl = _repl.replace(/\'/gi, "");
  _repl = _repl.replace(/\"/gi, "");
  _repl = _repl.replace(/\\/gi, "");
  _repl = _repl.replace(/\//gi, "");
  _repl = _repl.replace(/\?/gi, "");
  $scope.formval = _repl;
 };
```
Or even just where to begin..

/Cheers

Peter
Copy Link

pbl_dk 150 posts 551 karma points

Apr 19, 2018 @ 11:02

I think I got it kind of stopped by putting this into the cshtml.

if (Request["q"].Contains("{") || Request["q"].Contains("&") || Request["q"].Contains("?") || Request["q"].Contains("<"))
 {
  Response.RedirectPermanent("/");
 }

Copy Link

is working on a reply...

Please Sign in or register to post replies

Flag this post as spam?