DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.
Prev
Next

XSS Cross scripting measure in DNN

Forums > Modules and Other Extensions
Sort:
You are not authorized to post a reply.





Stuart

Growing Member



Posts:38
Growing Member




9/28/2020 4:29 AM

    Hi, we had not realised that DNN does not set the validate request setting to enabled in web config. We had a request to add several asp.net forms quickly to a DNN website. We just created custom modules on the server itself and copied our forms in. They are just html forms that email results to a mailbox from codebehind,  Is there a way to quickly add a wrapper to the html or in code behind to pick up on DNN's built-in antiXSS measures






    Joe Craig

    Veteran Member



    Posts:1236
    Veteran Member




    9/28/2020 9:18 AM
      When you say that you added " several asp.net forms" does that mean pages that exists outside of DNN but live in the same install directory? If so, you are going to have to do the work yourself, as DNN doesn't know about them.

      You also said "custom modules" which I assume are not DNN modules?

      The "better" way to do this would be to put the forms in HTML or razor modules which could then be added to pages. If you do this you will need to so some slight editing of your "forms" so that they can exist inside of DNN. A good place to start is the " oldie but goodie" blog post:https://mitchelsellers.co...submissions-from-dnn
      Joe Craig
      DNN MVP
      Patapsco Research Group





      Stuart

      Growing Member



      Posts:38
      Growing Member




      9/28/2020 9:37 AM

        Sorry for the confusion, No, we created DNN modules directly on the server in the desktop modules folder and simply copied the asp.net forms html and code into the ascx files.
        By custom forms we meant that we did not use any module template in visual studio etc.

        The forms are working inside DNN modules,  but is just the Cross scripting we are asking about , apart from sticking a regular expression validator on each text box and using HTML encode in the back end,  is there a simple wrapper or in code to allow these modules to pick up on the antiXSS measures used for example in the HTML Module.






        Joe Craig

        Veteran Member



        Posts:1236
        Veteran Member




        9/28/2020 2:54 PM
          Are there form tags in your html?
          Joe Craig
          DNN MVP
          Patapsco Research Group





          Michael Tobisch

          Veteran Member



          Posts:1124
          Veteran Member




          9/29/2020 12:41 AM

            Stuart,

            best solution would be to use any of the form modules available and re-create your forms with one of the modules. There are some good solutions available in the DNN Store (https://store.dnnsoftware...2?searchtext=forms), but also free stuff like OpenForms (https://github.com/sachatrauwaen/openform).

            Happy DNNing!
            Michael

            Michael Tobisch
            DNN★MVP

            dnnWerk Austria
            DNN Connect





            Stuart

            Growing Member



            Posts:38
            Growing Member




            9/29/2020 2:14 AM

              Hi Joe, no form tags,  the forms are working perfectly within the DNN modules.

              Michael, Some of the forms are not that simple, fairly lengthy and involve criteria testing with sections hidden or displayed accordingly. At this point, we do not have time to learn a new form module enough to recreate the forms as they are temporary, although we will look at some of the options mentioned for future use.

              We just wondered if there was a programmatic way to plug in the page Request Validation or the .Net 4.5 XssSecurity

              You are not authorized to post a reply.

              These Forums are dedicated to the discussion of DNN Platform.

              For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

              1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
              2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
              3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
              4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
              5. No Flaming or Trolling.
              6. No Profanity, Racism, or Prejudice.
              7. Site Moderators have the final word on approving / removing a thread or post or comment.
              8. English language posting only, please.

              Would you like to help us?

              Awesome! Simply post in the forums using the link below and we'll get you started.

              Get Involved