Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix for CVE-2008-3422

svn path=/branches/mono-1-1-18/mcs/; revision=110142
  • Loading branch information...
commit 4f5502c48eceefce46fa66b6f42c3303cec24fb9 1 parent 8e924fb
@grendello grendello authored
View
10 mcs/class/System.Web/System.Web.UI.HtmlControls/ChangeLog
@@ -1,3 +1,13 @@
+2008-07-25 Dean Brettle <dean@brettle.com>
+
+ * HtmlControl.cs (PreProcessRelativeReference),
+ HtmlForm.cs (RenderAttributes), HtmlInputButton (RenderAttributes),
+ HtmlInputRadioButton (RenderAttributes), HtmlSelect (RenderChildren):
+ Encode attributes that could contain HTML special chars.
+
+ * HtmlSelect (RenderChildren): HTML-encode option text.
+ * Fix for CVE-2008-3422
+
2006-09-18 Igor Zelmanovich <igorz@mainsoft.com>
* HtmlHead.cs:
View
2  mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlControl.cs
@@ -90,7 +90,7 @@ protected override ControlCollection CreateControlCollection ()
catch (Exception) {
throw new HttpException(attribName + " property had malformed url");
}
- writer.WriteAttribute(attribName, attr);
+ writer.WriteAttribute(attribName, attr, true);
Attributes.Remove(attribName);
}
}
View
2  mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlForm.cs
@@ -302,7 +302,7 @@ protected override void RenderAttributes (HtmlTextWriter w)
w.WriteAttribute ("name", Name);
w.WriteAttribute ("method", Method);
- w.WriteAttribute ("action", action);
+ w.WriteAttribute ("action", action, true);
if (ID == null) {
/* If ID != null then HtmlControl will
View
4 mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputButton.cs
@@ -181,7 +181,7 @@ protected override void RenderAttributes (HtmlTextWriter writer)
}
if (onclick.Length > 0) {
- writer.WriteAttribute ("onclick", onclick);
+ writer.WriteAttribute ("onclick", onclick, true);
writer.WriteAttribute ("language", "javascript");
}
}
@@ -197,7 +197,7 @@ protected override void RenderAttributes (HtmlTextWriter writer)
if (oc != null) {
writer.WriteAttribute ("language", "javascript");
- writer.WriteAttribute ("onclick", oc);
+ writer.WriteAttribute ("onclick", oc, true);
}
}
#endif
View
2  mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputRadioButton.cs
@@ -120,7 +120,7 @@ protected virtual void OnServerChange (EventArgs e)
protected override void RenderAttributes (HtmlTextWriter writer)
{
- writer.WriteAttribute ("value", Value);
+ writer.WriteAttribute ("value", Value, true);
Attributes.Remove ("value");
base.RenderAttributes (writer);
}
View
4 mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlSelect.cs
@@ -665,10 +665,10 @@ override void RenderChildren (HtmlTextWriter w)
}
}
- w.WriteAttribute ("value", item.Value);
+ w.WriteAttribute ("value", item.Value, true);
w.Write (HtmlTextWriter.TagRightChar);
- w.Write (item.Text);
+ w.Write (HttpUtility.HtmlEncode(item.Text));
w.WriteEndTag ("option");
w.WriteLine ();
View
7 mcs/class/System.Web/Test/System.Web.UI.HtmlControls/ChangeLog
@@ -1,3 +1,10 @@
+2008-07-27 Dean Brettle <dean@brettle.com>
+
+ * HtmlInputButtonTest.cs, HtmlImageTest.cs, HtmlFormTest.cs,
+ HtmlInputRadioButtonTest.cs, HtmlSelectTest.cs: Added tests
+ for HTML-encoded of attributes.
+ * Fix for CVE-2008-3422
+
2006-09-17 Igor Zelmanovich <igorz@mainsoft.com>
* HtmlAnchorTest.cs: added test for ViewState
View
4 mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlImageTest.cs
@@ -118,13 +118,13 @@ public void RenderAttributes ()
img.Alt = "*2*";
img.Border = 3;
img.Height = 4;
- img.Src = "*5*";
+ img.Src = "*5<&*";
img.Width = 6;
Assert.AreEqual (6, img.Attributes.Count, "Attributes.Count");
HtmlTextWriter writer = img.GetWriter ();
- Assert.AreEqual (" src=\"*5*\" align=\"*1*\" alt=\"*2*\" border=\"3\" height=\"4\" width=\"6\" /", writer.InnerWriter.ToString ());
+ Assert.AreEqual (" src=\"*5&lt;&amp;*\" align=\"*1*\" alt=\"*2*\" border=\"3\" height=\"4\" width=\"6\" /", writer.InnerWriter.ToString ());
}
}
}
View
22 mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputButtonTest.cs
@@ -164,6 +164,28 @@ public void OnClickAttribute ()
Assert.IsTrue (found >= 0, "#02");
}
+ [Test]
+ public void OnClickAttributeWithSpecials ()
+ {
+ StringWriter sw = new StringWriter ();
+ HtmlTextWriter tw = new HtmlTextWriter (sw);
+
+ HtmlInputButtonPoker p = new HtmlInputButtonPoker ();
+ p.Page = new Page ();
+ p.Attributes["onclick"] = "alert('<&');";
+ p.DoRenderAttributes (tw);
+ string str = sw.ToString ();
+ int found = str.IndexOf ("alert('&lt;&amp;');");
+ Assert.IsTrue (found >= 0, "#01");
+ p.ServerClick += new EventHandler (EmptyHandler);
+ sw = new StringWriter ();
+ tw = new HtmlTextWriter (sw);
+ p.DoRenderAttributes (tw);
+ str = sw.ToString ();
+ found = str.IndexOf ("alert('&lt;&amp;');");
+ Assert.IsTrue (found >= 0, "#02" + str);
+ }
+
private static void EmptyHandler (object sender, EventArgs e)
{
}
View
4 mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputRadioButtonTest.cs
@@ -236,9 +236,9 @@ public void RenderValue1 ()
rb.ID = "id";
string attrs = rb.RenderAttributes ();
Assert.IsTrue (attrs.IndexOf ("value=\"id\"") >= 0);
- rb.Value = "hola";
+ rb.Value = "hola<&";
attrs = rb.RenderAttributes ();
- Assert.IsTrue (attrs.IndexOf ("value=\"hola\"") >= 0);
+ Assert.IsTrue (attrs.IndexOf ("value=\"hola&lt;&amp;\"") >= 0);
}
#if NET_2_0
View
12 mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlSelectTest.cs
@@ -478,5 +478,17 @@ public void DataBindDoubleCall ()
Assert.AreEqual (exp, s.Render ());
}
+ [Test]
+ public void HtmlEncodeValues ()
+ {
+ TestHtmlSelect s = new TestHtmlSelect ();
+ s.DataSource = new string [] { "&", "<" };
+ s.DataBind ();
+ string exp = @"<select name>
+ <option value=""&amp;"">&amp;</option>
+ <option value=""&lt;"">&lt;</option>
+</select>";
+ HtmlDiff.AssertAreEqual (exp, s.Render (), "HtmlEncodeValues");
+ }
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.