Friday, 23 August 2013

Cross Site Scripting ReflectedHTMLEncoding Request.Form(date)

Cross Site Scripting ReflectedHTMLEncoding Request.Form(date)

I just started a new project where I look for Cross-Site Scripting:
Reflected findings and I mitigate them. This particular page has 2 date
variables (start and finish) that the software has deemed dangerous due to
their potential to send unvalidated data to the browser. With most
variables, I can just wrap an HTMLEncode around the variable like this:
HTMLEncode(string)
and everything will be fine. However, either because it is a date variable
or because it is a Request.Form, this solution won't work. Does anybody
have any suggestions? I tried googling "HTMLEncoding dates" and
"HTMLEncode and Request.Form" but I couldn't find any valuable solutions.
If expDate = "range" Then
start = Request.Form("search_start_dt")
finish = Request.Form("search_end_dt")
msgtxt = "Completion Dates from " & start & " to " & finish

No comments:

Post a Comment