-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathlib.HTMLSecurity.asp
77 lines (66 loc) · 3.84 KB
/
lib.HTMLSecurity.asp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<%
'=======================================================================================================================
' HTML SECURITY HELPER
'=======================================================================================================================
Class HTML_Security_Helper_Class
'---------------------------------------------------------------------------------------------------------------------
'Uses Scriptlet.TypeLib to generate a GUID. There may be a better/faster way than this to generate a nonce.
Public Function Nonce()
dim TL : set TL = CreateObject("Scriptlet.TypeLib")
Nonce = Left(CStr(TL.Guid), 38) 'avoids issue w/ strings appended after this token not being displayed on screen, MSFT bug
set TL = Nothing
End Function
'---------------------------------------------------------------------------------------------------------------------
'Name is probably the combined ControllerName and ActionName of the form generator by convention
Public Sub SetAntiCSRFToken(name)
Session(name & ".anti_csrf_token") = Nonce()
End Sub
'---------------------------------------------------------------------------------------------------------------------
'Returns the CSRF token nonce from the session corresponding to the passed name
Public Function GetAntiCSRFToken(name)
dim token : token = Session(name & ".anti_csrf_token")
If Len(token) = 0 then
SetAntiCSRFToken name
End If
GetAntiCSRFToken = token
End Function
'---------------------------------------------------------------------------------------------------------------------
'Removes the current CSRF token nonce for the passed name
Public Sub ClearAntiCSRFToken(name)
Session.Contents.Remove(name & ".anti_csrf_token")
End Sub
'---------------------------------------------------------------------------------------------------------------------
'Returns true if passed nonce matches the stored CSRF token nonce for the specified name, false if not
Public Function IsValidAntiCSRFToken(name, nonce)
IsValidAntiCSRFToken = (GetAntiCSRFToken(name) = nonce)
End Function
'---------------------------------------------------------------------------------------------------------------------
'If an invalid CSRF nonce is passed, sets the flash and redirects using the appropriate MVC.Redirect* method.
'If a valid CSRF nonce is passed, clears it from the cache to reset the state to the beginning.
Public Sub OnInvalidAntiCSRFTokenRedirectToAction(token_name, token, action_name)
OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, empty
End Sub
Public Sub OnInvalidAntiCSRFTokenRedirectToActionExt(token_name, token, action_name, params)
OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, params
End Sub
Public Sub OnInvalidAntiCSRFTokenRedirectTo(token_name, token, controller_name, action_name)
OnInvalidAntiCSRFTokenRedirectToExt token_name, token, controller_name, action_name
End Sub
Public Sub OnInvalidAntiCSRFTokenRedirectToExt(token_name, token, controller_name, action_name, params)
If IsValidAntiCSRFToken(token_name, token) then
ClearAntiCSRFToken token_name
Else
ClearAntiCSRFToken token_name
Flash.AddError "Invalid form state. Please try again."
MVC.RedirectToExt controller_name, action_name, params
End If
End Sub
End Class
dim HTML_Security_Helper__Singleton
Function HTMLSecurity()
If IsEmpty(HTML_Security_Helper__Singleton) Then
set HTML_Security_Helper__Singleton = new HTML_Security_Helper_Class
End If
set HTMLSecurity = HTML_Security_Helper__Singleton
End Function
%>