[Mono-bugs] [Bug 78948][Nor] New - [PATCH] HtmlTextArea.Value should be encoded, even under 1.0

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Tue Jul 25 14:53:32 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by dean at brettle.com.


--- shadow/78948	2006-07-25 14:53:32.000000000 -0400
+++ shadow/78948.tmp.16512	2006-07-25 14:53:32.000000000 -0400
@@ -0,0 +1,69 @@
+Bug#: 78948
+Product: Mono: Class Libraries
+Version: 1.1
+OS Details: 
+Status: NEW   
+Priority: Normal
+Component: Sys.Web
+AssignedTo: gonzalo at ximian.com                            
+ReportedBy: dean at brettle.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: [PATCH] HtmlTextArea.Value should be encoded, even under 1.0
+Description of Problem:
+The HtmlTextArea renders its Value property verbatim instead of
+HTML-encoding it.  This is inconsistent with ASP.NET 1.1.4322.2300 and
+opens up Mono-based sites to script injection attacks.  This bug was
+previously fixe for the 2.0 profile (see bug 78074), but seems to have been
+intentionally left in for the 1.0 profile.  I've tested the behavior of
+ASP.NET 1.1 and confirmed that it does not have this bug (i.e. it *does*
+HTML-encode the value).
+Steps to reproduce the problem:
+1. View the following aspx page under the 1.0 profile:
+<%@ language="c#" %>
+<script runat="server">
+        void Page_Load (object sender, EventArgs e)
+        {
+                 //myTA.InnerText = "Hi there!\nCool!";
+                 myTA.Value = "<hola>something</hola>";
+        }
+<form runat="server">
+<textarea id="myTA" cols=25 rows=5 runat="server" />
+2. View the HTML source that is rendered.
+Actual Results:
+<textarea name="myTA" id="myTA" cols="25"
+Expected Results:
+<textarea name="myTA" id="myTA" cols="25"
+How often does this happen? 
+Additional Information:
+I'll attach the obvious patch.

More information about the mono-bugs mailing list