I read about AllowHtml and ValidateInput. I know that nopCommerce use these attributes to enable html values into some inputs.
I did some testing. For example, in admin area, product management i tried to remove AllowHtml on the 'Name' attribute on the ProductModel class and when i submit the page i recive and exception. fine...i expected this result.
The question is about the normal funcionality of this attribute. Teorically in the 'Name' attribute, i can insert a JS script and then post it. I tried to do this. In the 'Name' i wrote <scrip>alert('hello');</script> then i sumbit the page and it worked (AllowHtml enable to send it). But...i didn't receive the alert on the page. is there some mechanism that blocks script execution during post request ?
I read about AllowHtml and ValidateInput. I know that nopCommerce use these attributes to enable html values into some inputs.
I did some testing. For example, in admin area, product management i tried to remove AllowHtml on the 'Name' attribute on the ProductModel class and when i submit the page i recive and exception. fine...i expected this result.
The question is about the normal funcionality of this attribute. Teorically in the 'Name' attribute, i can insert a JS script and then post it. I tried to do this. In the 'Name' i wrote <scrip>alert('hello');</script> then i sumbit the page and it worked (AllowHtml enable to send it). But...i didn't receive the alert on the page. is there some mechanism that blocks script execution during post request ?
Thank you
Just a guess:
In your example above, there is an error in your script tag:
AllowHtml attribute is used only to allow you to store HTML content in the database and do not cause ASP.NET exception.
Razor view engine has built-in XSS protection. Product name is renderend as @Model.Name in your cshtml file. It means HTML content will be escaped and you will see you script as <script>...</script> tag.
You should change cshtml file to use @Html.Raw(Model.Name). Html.Raw helper does not escape the content and render it as-is. Please keep in mind, it Html.Raw adds risk to your project because if somebody will be able to add a malicious script to the database.
Just to summarize. ASP.NET MVC/Razor is doing great job to keep your application safe. I think, nopCommerce uses [AllowHtml] attribute to allow business people to type special characters like '<' or '>' ad do not cause an error.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.