cross site scripting
how to prevent script injection in java
I have a web project which is developed by asp.net
In my web project, i have a page called as (MainPage). In MainPage according to query string, the last user can see a survey edit form (www.a.com?entity=survey@op=edit) or a parameter insertion form (www.a.com?entity=parameter&op=add) or etc....
The query string examples above are just examples since i encrypt them and actually the last user see some complex words on url
I m loading MainPageJs in MainPage.cshtml
The below code shows that how MainPageJs works
Now the thing I wonder is that,
- Does my code style have any security problems?
- Does my web page have any security vulnerability?
is my code style has any security problem?
no. there is nothig wrong with dynamic code executed on the client. at least from security point of view (you should still control performance of it)
is my web page has security vulnerability?
no. you can't broke anything executing dynamic code on the client. "dynamic" code is executed in the same sandbox with the same privileges as your common js.
<script>...</script>) but it is not related to dynamic JS, it is more about dynamic HTML.
It is totally depend on your ASP code implemetation. From your question, I don't see big security issue. However, If you are not familiar with vulnerability or security, I would not recommend the code style.
Here are some reasons.
You opened your URL to public. Even if you encode it, some dodge people will try to hack it. For example, from different URLs, hacker can decode it. I prefer to hide it and don't give them a chance. Also you can use URL as more readable resource for search engine.
If you don't use framework, you might need to implement filter of parameters to prevent Injection attack(SQL, JS). It takes time.
It is hard to maintain the code. As your code is mixed with ASP and JS, it it getting harder when your code is bigger, especially, when you deal with View like HTML with JS in ASP code.
If you are encrypting client-side, it is possible for the user to actually see what is being sent to the application before it gets encrypted. There are tools to monitor client-side activity (such as YSlow) and a malicious user with technical expertise could use it to detect possible front-end vulnerabilities. Remember to never trust user input, and allowing an user to pass inject code in your app is never a good choice.
- You might get a better response on codereview.stackexchange.com and/or security.stackexchange.com
- If you directly insert values from the query string enter the generated code then you have a severe vulnerability. If you are just writing code like in your sample where you statically determine the generated code then you may be safe but there is a better way to write such code.