I know this is a clunky way to do this. But, I have a client-side application. The user types notes in it. Then there's a button to send those notes to a specific field in existing IE windows.
The IE namespace wraps the Microsoft Internet Controls (Interop.SHDocVw.dll) and Microsoft.mshtml (Microsoft.mshtml.dll) into simple objects. It's basically there to save me from from having to cast types, error check, etc.
So, here's my problem. In order to avoid injection via XSS, I do an HTMLEncode on the text. This causes the conversion of data like ampersands and qutoes to & and ". This doesn't work, because then the user has to fix the data in the IE windows.
Is there a risk of injection when setting the value of an input textbox? I can't think of a way that it would, but maybe I'm just not devious enough.
Is there a better way to pass the data to an input textbox that causes the encoded value to be decoded?
I realize the best solution would be to not have to pass the data through the IE window. Unfortunately, I'm not the owner on that side and the owner is requiring the data be passed through their webpage.
Any help is appreciated.
Code:
Private Sub tsmiSendData_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles tsmiSendData.Click
Dim notes As String = txtNotes.Text
For Each url As String In IE.Browser.GetUrls("[URL unfurl="true"]https://blah.blah.blah")[/URL]
Dim browser As New IE.Browser(url)
If browser IsNot Nothing Then
Dim elements As IE.Elements = browser.Document.GetElementsByName("narrativeText")
If (elements IsNot Nothing) AndAlso (elements.Count > 0) Then
For Each element As IE.Element In elements
element.Value = notes
Next
End If
End If
Next
End SubThe IE namespace wraps the Microsoft Internet Controls (Interop.SHDocVw.dll) and Microsoft.mshtml (Microsoft.mshtml.dll) into simple objects. It's basically there to save me from from having to cast types, error check, etc.
Code:
Public Class Element
Private myElement As mshtml.IHTMLElement
Public Property Value() As String
Get
'code that doesn't matter here
End Get
Set(ByVal value As String)
Dim encoded As String = System.Web.HttpUtility.HtmlEncode(value)
If TypeOf myElement Is mshtml.HTMLInputElement Then
CType(myElement, mshtml.HTMLInputElement).value = encoded
End If
End Set
End Property
End ClassSo, here's my problem. In order to avoid injection via XSS, I do an HTMLEncode on the text. This causes the conversion of data like ampersands and qutoes to & and ". This doesn't work, because then the user has to fix the data in the IE windows.
Is there a risk of injection when setting the value of an input textbox? I can't think of a way that it would, but maybe I'm just not devious enough.
Is there a better way to pass the data to an input textbox that causes the encoded value to be decoded?
I realize the best solution would be to not have to pass the data through the IE window. Unfortunately, I'm not the owner on that side and the owner is requiring the data be passed through their webpage.
Any help is appreciated.
