I'd like to REPRODUCE a scenario where a 3rd party testing team injected a <script> tag into an HTML template on our front end. Then I want to add code to prevent this (i.e. front end angular sanitize or on the backend).
Normally, this Html template gets filled out dynamically, then sent to the server where it gets converted to a PDF.
In the case of the script inject, they were able to inject document.write('failed'), which affected the resulting PDF.
Here is a sample html template, where I attempt to inject a script. However, it has NO affect on the final Pdf.
I noticed in their injection script they're using on onerror routine. Perhaps that's what I need to do...
Using Postman, I will Post to a Url something like this:
https: // myServer.myApp.com/TheReport/api/ireports/ConvertToPDF?sessionID=BLA-BLA&reportID=12868
{
"htmlString": "<!DOCTYPE html><head> <script> var req = new XMLHttpRequest();req.open(\"GET\", \"https://www.bob22334455.com/ThisIsNotAPage.html\");req.send();req.onerror = function(){document.write(\"FAILED\");}} <meta charset=\"utf-8\"><style>@page{margin:0}html,body{margin:0;color:black;background-color:white}.page{margin:0;overflow:hidden;position:relative;box-sizing:border-box;page-break-after:always}body.A3 .page{width:297mm;height:419mm}body.A3.landscape .page{width:420mm;height:296mm}body.A4 .page{width:210mm;height:260mm}body.A4.landscape .page{width:297mm;height:209mm}body.A5 .page{width:148mm;height:209mm}body.A5.landscape .page{width:210mm;height:147mm}.page.padding-10mm{padding:10mm}.page.padding-15mm{padding:15mm}.page.padding-20mm{padding:20mm}.page.padding-25mm{padding:25mm}img{max-height:100%;max-width:100%;left:50%;position:absolute;top:50%;transform:translate(-50%,-50%)}.print-toolbar{position:absolute;right:100px;top:30px;z-index:99}.form-control,table{background-color:white;color:black;display:inline-block;width:auto}input,textarea{border:1px solid black}@page{size:A4}</style></head><body class='A4'>\n</script> <div>WELCOME HOME #555.</div></body></html>",
"reportParameters": null
}The final PDF is as follows:
On the backend, that html string is passed to the c# method in .net
public Stream ConvertHTMLStringToPDFStream(string htmlString, long uID, ref string ExceptionMsg)
{
string form = "";
string subject = "";
int formPos = htmlString.IndexOf("<h4>");
if (formPos == -1)
{
formPos = htmlString.IndexOf("<h5>");
}
if (formPos != -1)
{
int formEndPos = htmlString.IndexOf("<", formPos + 4);
form = htmlString.Substring(formPos, formEndPos - formPos + 4);
subject = form.Substring(4, form.Length - 8);
}
Stream stream = null;
try
{
htmlString = Regex.Replace(htmlString, @"<link[^>]*>", string.Empty);
htmlString = Regex.Replace(htmlString, @"<style>[^<]*", string.Empty);
htmlString = Regex.Replace(htmlString, @"</style>[^<]*", string.Empty);
SelectPdf.HtmlToPdf converter = new SelectPdf.HtmlToPdf();
// set converter options
SelectPdf.PdfPageSize pageSize = SelectPdf.PdfPageSize.Letter;
converter.Options.PdfPageSize = pageSize;
converter.Options.PdfPageOrientation = SelectPdf.PdfPageOrientation.Portrait;
converter.Options.PdfDocumentInformation.Title = uID == 0 ? "Report" : $"Report ID: {Convert.ToString(uID)}";
converter.Options.PdfDocumentInformation.Author = "My Company";
converter.Options.PdfDocumentInformation.Subject = $"{subject}";
//converter.Options.WebPageWidth = webPageWidth;
//converter.Options.WebPageHeight = webPageHeight;
// create a new pdf document converting an url
SelectPdf.PdfDocument doc = converter.ConvertHtmlString(htmlString);
stream = new MemoryStream(doc.Save());
}
catch (Exception ex)
{
ExceptionMsg = $"ConvertHTMLStringToPDFStream form: {form}: {ex.Message} inner: {ex.InnerException}";
}
return stream;
}Thanks for any advice...
In your provided
htmlString, there is a part of it written<script req = new XMLHttpRequest(), but I think should be<script>var req = new XMLHttpRequest().There is other typos in your
htmlString:<script>, but only closing one with</script>.window.onload=\function(){towindow.onload=function(){.