Search code examples
c#winformsxssowasp

Prevent XSS in C# Winform WebBrowser

I'm using a C# WebBrowser in my application. This WebBrowser receives an Html input as a string, like this fairly simple portion of code :

string HtmlToDisplay = UTF8Encoding.UTF8.GetString(Convert.FromBase64String(RawDataB64));
webBrowser1.DocumentText = HtmlToDisplay;

As the WebBrowser component will execute any script included into the Html, I need to prevent XSS attack by "cleaning" the Html string to display.

I first thought of removing the script tag as in this link : https://stackoverflow.com/a/19414886/969881

Or even use HtmlAgilityPack as in that link : https://stackoverflow.com/a/19414865/969881

But my coworker says that it's not efficient enough, and that I have to use OWASP ESAPI to prevent such an attack.

1/ Is he right ?

2/ If so, is there a means to use OWASP ESAPI as a raw string cleaner of data to display into the webBrowser component ?

Thanks in advance,

Solution

  • Removing the script tag doesn't fully eliminate the usage of JavaScript on a webpage. There are some obvious workarounds to this method.
    For example:

    <input type="button" onclick="document.getElementById('test').innerHTML = '';" />

    As for OWASP ESAPI, it's open sourced which means that advanced users who wish to breach your security system(s) can browse the code of the API and potentially find a workaround for it.

    For this reason, you should consider purchasing some other kind of security system as well as encoding the string to disable HTML tags from functioning when written to the webpage.

    As far as security goes, I would definitely not rely on simply replacing all instances of <script> with a blank string. This is definitely not efficient as shown in the example workaround above. Encoding the string is a fairly decent way to prevent most workarounds, although advanced users can find ways.

    Therefore to answer your questions:
    (1) Yes, he's right that there are more efficient ways than encoding a string
    (2) I wouldn't personally recommend using an open sourced string cleaner because users can browse through the code and potentially find a way of breaching the security mechanisms.