How to avoid amend drop down list and enter symbol from  ‘Save’ update POST request
Question

Hi All,


Recently doing the "Security Assessment". That need some to fix.

1) drop down list, "the tester" able to amend the drop down list. How to avoid this happen? i though drop down list is not allow user to edit. It is just a selection list. The tester able to enter any selection ID they want. Like 0 or 1000 of drop down list of number.


2) I already add the validate in the front end input field. Like keypress, keyup and changeon. Already added the symbol validate by using JS. But the tester still able to put example  -> "<script>Alert1</script>" in somewhere and save. When retrieve, it will retrieve "<script>Alert1</script>".


Any expert able to help me? how to solve  in the simple way?


please find the attached file.


Thank you

example1.png

Hi there,

See the attached oml. When you "sanitize" the user input with SanitizeHtml(), it makes sure that the value does not contain any malicious content such as <script></script> tags.

So for your <script>Alert1</script>  example, it clears the value altogether since <script></script> tags and the literal text inbetween shouldn't be accepted from a user input.

SanitizationExample.oml

Hi Jing,

Have you tried using the actions from the Sanitization extension? Especially the SanitizeHtml() action can help to avoid JS code injection.

https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/HTML_Injection_Warning


About the dropdown issue; it is indeed possible to locally change the text rendered on screen with the browser inspector. The important part is that what's being submitted to server should be valid. In case of dropdown, the value of the selected option will be sent, so I suggest you do a check on server-side before any other operations to see if the incoming value is indeed valid or not.

Hi Ozan Cali,


thanks for your reply.

Do you have any sample for using  Sanitization extension? I dunno how to start using.

Able to just simply to add in 2 field, when click submit. I want to see how the SanitizeHtml()  work?

Thank you

regards,

Ryan

Hi there,

See the attached oml. When you "sanitize" the user input with SanitizeHtml(), it makes sure that the value does not contain any malicious content such as <script></script> tags.

So for your <script>Alert1</script>  example, it clears the value altogether since <script></script> tags and the literal text inbetween shouldn't be accepted from a user input.

SanitizationExample.oml

Hi Ozan Cali, 

I have tried..now i know how to use it.

how to control that SanitizeHtml() accept the symbol only     < - %   but not accept / * #


Thank you


Hi,

I don't think you are able to control SanitizeHtml() that way, but you can write your own action and define which symbols to accept and which to refuse. 

To make it in an elegant way, you can also use Regular Expressions to define the "acceptable" characters.

Hi Ozan Cali,  

Thank you for your help again, Do you mind to share me the sample of using  Regular Expressions ?

I read this kind of article before, but i don't know how to use it.

Appreciate if you could help me. :-)

field 1 : not accept @ - ! % and "Spacing"

field 2 : not accept Numeric

field 3 : not accept any symbol but accept alphanumeric

Which to control at the backend? Because of the front end, I am using JS to control, but the tester can still add in the symbol, which I do not accept.


Thank you


Sure, I'm gonna share a solution when I have the time.  You can check OutSystems Forge in the meantime, there are some readily available solutions for input validation with RegEx.

Regards

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.