Safe partial-page updates in asp.net mvc?

Question

We have a hybrid webforms/asp.net application which does a lot of partial-page updates from javascript using jquery.

The typical (unsafe) pattern in our application's javascript is to respond to a user request to re-write part of the page with something like this:

$.ajax({
        type: "GET",
        url: urlVariableHere,
        success: function (data) {
            $("#elementIdHere").html(data); 
        },
        error: function (XMLHttpRequest, ajaxOptions, ex) {
            errorHandlerFunction(XMLHttpRequest);  
        }

"urlVariableHere" points to an MVC Controller method that returns a rendered MVC view. In other words, the Controller method returns a blob of raw HTML.

This pattern is unsafe because of the call to JQuery's html() method, which is vulnerable to a cross-site scripting attack. We now need this application to pass a Veracode static analysis, and this unsafe pattern is repeated several hundred times.

Hooman pointed out in his answer that if we are calling a Controller method which renders a View which does not use the Html.Raw method we are safe from an XSS attack. The problem is, we need to pass a Veracode static scan, and for internal reasons we cannot mark these flaws as "mitigated." For internal reasons the application must pass a static scan with zero mitigations.

What is the best (i.e. most time-economical) way to make this application safe, and still keep the ability to do partial-page updates from javascript? Right now I only see three alternatives, all of them huge efforts:

Change every partial-page postback to a full-page postback.
Change every ajax call to fetch JSON instead of HTML, and then safely create DOM elements from the JSON using safe methods like document.createElement(), element.setAttribute(), element.appendChild() and etc.
Re-write the application to use a javascript framework (Angular, Vue) or library (React).

Am I missing an easier solution?

I am facing the same problems now with Veracode static scan. Which solution did you choose to implement? Any advice? — hdz200, May 09 '19 at 13:38

Hooman Bahreini · Answer 1 · 2019-01-21T19:12:02.077

0

As far as I know, XSS is a problem when you are getting some input from the user, it is not clear to me why you should not trust the response from your own controller? What you are doing is very typical and I have seen countless number of tutorials teaching it (like c-sharpcorner, aspsnippets or dotnetthoughts, etc).

Also, ASP.NET MVC View Engine encodes HTML by default. I am not sure how you render your Partial View, but unless you are using @Html.Raw you will potentially double encode the result.

But if you want to encode the HTML result, you can escape your HTML string, see this answer

edited Jan 21 '19 at 19:12

answered Jan 19 '19 at 01:16

Hooman Bahreini

12,572
10
52
106

Thanks Hooman, but I'm afraid you missed the point. I trust the response from my own Controller. The issue is that the call to jQuery.html() fails a Veracode static scan, and for internal reasons we cannot mark these flaws as "mitigated." I need to render html, so I cannot use the jQuery text() method. – Tom Regan Jan 20 '19 at 17:17
@TomRegan, I have updated my answer. Would be nice if you could share what sort of error/advice you are getting from Veracode... – Hooman Bahreini Jan 20 '19 at 22:56
every use of html() is flagged as a medium flaw by Veracode. The particulars are not relevant to this question. I'm looking for advice on the easiest way to refactor. I know how the asp.net view engine works. – Tom Regan Jan 21 '19 at 13:45

Safe partial-page updates in asp.net mvc?

1 Answers1