Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • pbl_dk 150 posts 551 karma points
    Apr 19, 2018 @ 08:38
    pbl_dk
    0

    AngularJS Injection problem

    Hi there.

    We are using a form field for search on the website. (umbraco 7.9.2) Testers came back with a problem, since its possible to execute javascript in the form field. It's AngularJS itself.

    If one writes: {{constructor.constructor('alert(1)')()}} it's executed in the browser.

    I have tried to make a kind of filter in angularjs, but I was wondering if anyone know if it would be possible to fix this backend/server site/razor/C#. ??

    $scope.intrusionval = function () {
  var _repl = $scope.formval;
  _repl = _repl.replace(/{/gi, "");
  _repl = _repl.replace(/}/gi, "");
  _repl = _repl.replace(/&/gi, "");
  _repl = _repl.replace(/\'/gi, "");
  _repl = _repl.replace(/\"/gi, "");
  _repl = _repl.replace(/\\/gi, "");
  _repl = _repl.replace(/\//gi, "");
  _repl = _repl.replace(/\?/gi, "");
  $scope.formval = _repl;
 };

    Or even just where to begin..

    /Cheers

    Peter

    Copy Link
  • pbl_dk 150 posts 551 karma points
    Apr 19, 2018 @ 11:02
    pbl_dk
    100

    I think I got it kind of stopped by putting this into the cshtml.

    if (Request["q"].Contains("{") || Request["q"].Contains("&") || Request["q"].Contains("?") || Request["q"].Contains("<"))
 {
  Response.RedirectPermanent("/");
 }
    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies