Home > database >  Blazor with SignalR - how is an XSS or other attack possible when storing and rendering plain string
Blazor with SignalR - how is an XSS or other attack possible when storing and rendering plain string

Time:01-26

In a Blazor Server with SignalR chat app, I'm taking user input in an <input> element, binding it to a string in the @code section, and storing that string in the db as a parameterized query. I believe this is enough to prevent a 1st order sql injection.

I'm displaying the same string back to the user on the frontend, and all other users connected to the chat app, both via SignalR and also later on page reload from the string being retrieved from the db, via simply rendering it as a string again (the strings are saved to a string array, loops in the .razor file, and rendered in a <p> tag), example:

<ul id="messagesList">
            @foreach (var message in userInputtedMessages)
            {
                <li>@message</li>
            }
</ul>

From all the research I've done, I believe my implementation may be vulnerable to XSS attacks, but I can't see how, since whatever HTML or javascript, or C# code I input there as a message, it's simply rendered as plain text.

I'm not using any form of input/output sanitzation, but merely storing the input as a string, parsing it as a parameterized query into the sql db, where its only use is to be used for the frontend again as a displayed message (also a string).

Is this vulnerbable to XSS? And in particular if it is, could an example please be given as to how this is so? My understanding of an actual XSS attack like this is limited and I cannot see what the issue is other than many posts saying "always sanitize output", etc.

My question is why? How is this vulnerable?

CodePudding user response:

As a general rule of thumb, you should always take steps when processing user input, so the advice is sound. Some frameworks (such as ASP.NET Core) put protections in place on your behalf.

By default, Razor HTML encodes all strings that it is asked to render. This mitigates against XSS attacks. You have to take steps to bypass this protection to render the string as raw HTML by casting to MarkupString in Blazor or using HTML.Raw() in Razor Pages/MVC. At that point, you should take responsibility for any sanitising that your application requires.

  • Related