edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apps sicher gegen Scriot Exploits gemacht wegen Absicherendem Encoden Der Strings der Seite Mittels Server.HtmlEncode(beliebiger String)

Browse Source
This commit is contained in:
ja
2021-09-22 11:16:32 +02:00
parent 87d560c788
commit 71c8d5b798
3 changed files with 18 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
Customers/CustomsAviso.aspx.vb
View File

@@ -160,28 +160,28 @@ Partial Class Kundenbereich_Default
dt = Nothing dt = Nothing
If txt_Absender.Text IsNot "" Then If txt_Absender.Text IsNot "" Then
txt_Absender.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_Absender.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Absender = txt_Absender.Text Absender = Server.HtmlEncode(txt_Absender.Text)
ElseIf txt_Empfaenger.Text IsNot "" Then ElseIf txt_Empfaenger.Text IsNot "" Then
txt_Empfaenger.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_Empfaenger.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Empfaenger = txt_Empfaenger.Text Empfaenger = Server.HtmlEncode(txt_Empfaenger.Text)
ElseIf txt_KdNrAuftrag.Text IsNot "" Then ElseIf txt_KdNrAuftrag.Text IsNot "" Then
txt_KdNrAuftrag.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_KdNrAuftrag.ValidateRequestMode = UI.ValidateRequestMode.Enabled
KDNAFNR = txt_KdNrAuftrag.Text KDNAFNR = Server.HtmlEncode(txt_KdNrAuftrag.Text)
ElseIf txt_LKWNr.Text IsNot "" Then ElseIf txt_LKWNr.Text IsNot "" Then
txt_LKWNr.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_LKWNr.ValidateRequestMode = UI.ValidateRequestMode.Enabled
LKWNR = txt_LKWNr.Text LKWNR = Server.HtmlEncode(txt_LKWNr.Text)
ElseIf txt_Absender_M.Text IsNot "" Then ElseIf txt_Absender_M.Text IsNot "" Then
txt_Absender_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_Absender_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Absender = txt_Absender_M.Text Absender = Server.HtmlEncode(txt_Absender_M.Text)
ElseIf txt_Empfaenger_M.Text IsNot "" Then ElseIf txt_Empfaenger_M.Text IsNot "" Then
txt_Empfaenger_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_Empfaenger_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Empfaenger = txt_Empfaenger_M.Text Empfaenger = Server.HtmlEncode(txt_Empfaenger_M.Text)
ElseIf txt_KdNrAuftrag_M.Text IsNot "" Then ElseIf txt_KdNrAuftrag_M.Text IsNot "" Then
txt_KdNrAuftrag_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_KdNrAuftrag_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
KDNAFNR = txt_KdNrAuftrag_M.Text KDNAFNR = Server.HtmlEncode(txt_KdNrAuftrag_M.Text)
ElseIf txt_LKWNr_M.Text IsNot "" Then ElseIf txt_LKWNr_M.Text IsNot "" Then
txt_LKWNr_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled txt_LKWNr_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
LKWNR = txt_LKWNr_M.Text LKWNR = Server.HtmlEncode(txt_LKWNr_M.Text)
End If End If
If rbt_Alle.Selected = True Or rbt_Alle_M.Selected = True Then If rbt_Alle.Selected = True Or rbt_Alle_M.Selected = True Then
@@ -220,9 +220,9 @@ Partial Class Kundenbereich_Default
Else Else
Try Try
datevon = Date.Parse(pickdate1.Text) datevon = Date.Parse(pickdate1.Text)
MsgBox(pickdate1.Text) 'MsgBox(pickdate1.Text)
datebis = Date.Parse(pickdate2.Text) datebis = Date.Parse(pickdate2.Text)
MsgBox(pickdate2.Text) ' MsgBox(pickdate2.Text)
dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {1}, datevon, datebis, Absender, Empfaenger, LKWNR, KDNAFNR) dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {1}, datevon, datebis, Absender, Empfaenger, LKWNR, KDNAFNR)
Catch ex As Exception Catch ex As Exception
MsgBox(ex.StackTrace, MsgBoxStyle.Exclamation) MsgBox(ex.StackTrace, MsgBoxStyle.Exclamation)
@@ -330,7 +330,7 @@ Partial Class Kundenbereich_Default
tbl_cellNothing.Style.Add("text-align", "center") tbl_cellNothing.Style.Add("text-align", "center")
Dim tr = New TableRow() Dim tr = New TableRow()
tr.Style.Add("text-align", "center") tr.Style.Add("text-align", "center")
tbl_cellNothing.Text = "Keine Daten gefunden." tbl_cellNothing.Text = Server.HtmlEncode("Keine Daten gefunden.")
tr.Cells.Add(tbl_cellNothing) tr.Cells.Add(tbl_cellNothing)
normaltable.Rows.Add(tr) normaltable.Rows.Add(tr)
End If End If

1
Web.config
View File

@@ -27,6 +27,7 @@
<authentication mode="Forms"> <authentication mode="Forms">
<forms defaultUrl="admin/admin.aspx" loginUrl="login/Login_FLEX.aspx" slidingExpiration="true" timeout="2880" /> <forms defaultUrl="admin/admin.aspx" loginUrl="login/Login_FLEX.aspx" slidingExpiration="true" timeout="2880" />
</authentication> </authentication>
<sessionState mode="InProc" timeout="2880" cookieless="AutoDetect" regenerateExpiredSessionId="false" compressionEnabled="true"></sessionState>
<httpRuntime requestValidationMode="2.0" /> <httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" controlRenderingCompatibilityVersion="4.0" /> <pages validateRequest="false" controlRenderingCompatibilityVersion="4.0" />
<!--<securityPolicy> <!--<securityPolicy>

7
login/login_FLEX.aspx.vb
View File

@@ -38,16 +38,13 @@ Partial Class login_login_TEST
Login1.FailureText = "Account has not been activated." Login1.FailureText = "Account has not been activated."
Exit Select Exit Select
Case Else Case Else
If Session.IsNewSession = True Then
Session.Add("test", Login1.UserName) Session.Add("test", Login1.UserName)
CustomerIDTextBox = Login1.FindControl("CustomerID") CustomerIDTextBox = Login1.FindControl("CustomerID")
Session.Add("CustomerID", CustomerIDTextBox.Text) Session.Add("CustomerID", CustomerIDTextBox.Text)
Session.Add("PW", Login1.Password) Session.Add("PW", Login1.Password)
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet) FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet)
Else
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet)
End If
'FormsAuthentication.SetAuthCookie(Login1.UserName, True) 'FormsAuthentication.SetAuthCookie(Login1.UserName, True)
'Response.Redirect("mypage.aspx") 'Response.Redirect("mypage.aspx")