edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apps sicher gegen Scriot Exploits gemacht wegen Absicherendem Encoden Der Strings der Seite Mittels Server.HtmlEncode(beliebiger String)

Browse Source
This commit is contained in:
ja
2021-09-22 11:16:32 +02:00
parent 87d560c788
commit 71c8d5b798
3 changed files with 18 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
Customers/CustomsAviso.aspx.vb
View File

@@ -160,28 +160,28 @@ Partial Class Kundenbereich_Default
dt = Nothing
If txt_Absender.Text IsNot "" Then
txt_Absender.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Absender = txt_Absender.Text
Absender = Server.HtmlEncode(txt_Absender.Text)
ElseIf txt_Empfaenger.Text IsNot "" Then
txt_Empfaenger.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Empfaenger = txt_Empfaenger.Text
Empfaenger = Server.HtmlEncode(txt_Empfaenger.Text)
ElseIf txt_KdNrAuftrag.Text IsNot "" Then
txt_KdNrAuftrag.ValidateRequestMode = UI.ValidateRequestMode.Enabled
KDNAFNR = txt_KdNrAuftrag.Text
KDNAFNR = Server.HtmlEncode(txt_KdNrAuftrag.Text)
ElseIf txt_LKWNr.Text IsNot "" Then
txt_LKWNr.ValidateRequestMode = UI.ValidateRequestMode.Enabled
LKWNR = txt_LKWNr.Text
LKWNR = Server.HtmlEncode(txt_LKWNr.Text)
ElseIf txt_Absender_M.Text IsNot "" Then
txt_Absender_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Absender = txt_Absender_M.Text
Absender = Server.HtmlEncode(txt_Absender_M.Text)
ElseIf txt_Empfaenger_M.Text IsNot "" Then
txt_Empfaenger_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
Empfaenger = txt_Empfaenger_M.Text
Empfaenger = Server.HtmlEncode(txt_Empfaenger_M.Text)
ElseIf txt_KdNrAuftrag_M.Text IsNot "" Then
txt_KdNrAuftrag_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
KDNAFNR = txt_KdNrAuftrag_M.Text
KDNAFNR = Server.HtmlEncode(txt_KdNrAuftrag_M.Text)
ElseIf txt_LKWNr_M.Text IsNot "" Then
txt_LKWNr_M.ValidateRequestMode = UI.ValidateRequestMode.Enabled
LKWNR = txt_LKWNr_M.Text
LKWNR = Server.HtmlEncode(txt_LKWNr_M.Text)
End If
If rbt_Alle.Selected = True Or rbt_Alle_M.Selected = True Then
@@ -220,9 +220,9 @@ Partial Class Kundenbereich_Default
Else
Try
datevon = Date.Parse(pickdate1.Text)
MsgBox(pickdate1.Text)
'MsgBox(pickdate1.Text)
datebis = Date.Parse(pickdate2.Text)
MsgBox(pickdate2.Text)
' MsgBox(pickdate2.Text)
dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {1}, datevon, datebis, Absender, Empfaenger, LKWNR, KDNAFNR)
Catch ex As Exception
MsgBox(ex.StackTrace, MsgBoxStyle.Exclamation)
@@ -330,7 +330,7 @@ Partial Class Kundenbereich_Default
tbl_cellNothing.Style.Add("text-align", "center")
Dim tr = New TableRow()
tr.Style.Add("text-align", "center")
tbl_cellNothing.Text = "Keine Daten gefunden."
tbl_cellNothing.Text = Server.HtmlEncode("Keine Daten gefunden.")
tr.Cells.Add(tbl_cellNothing)
normaltable.Rows.Add(tr)
End If

1
Web.config
View File

@@ -27,6 +27,7 @@
<authentication mode="Forms">
<forms defaultUrl="admin/admin.aspx" loginUrl="login/Login_FLEX.aspx" slidingExpiration="true" timeout="2880" />
</authentication>
<sessionState mode="InProc" timeout="2880" cookieless="AutoDetect" regenerateExpiredSessionId="false" compressionEnabled="true"></sessionState>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" controlRenderingCompatibilityVersion="4.0" />
<!--<securityPolicy>

7
login/login_FLEX.aspx.vb
View File

@@ -38,16 +38,13 @@ Partial Class login_login_TEST
Login1.FailureText = "Account has not been activated."
Exit Select
Case Else
If Session.IsNewSession = True Then
Session.Add("test", Login1.UserName)
CustomerIDTextBox = Login1.FindControl("CustomerID")
Session.Add("CustomerID", CustomerIDTextBox.Text)
Session.Add("PW", Login1.Password)
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet)
Else
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet)
End If
'FormsAuthentication.SetAuthCookie(Login1.UserName, True)
'Response.Redirect("mypage.aspx")