<% '======================================================================================================================= ' HTML SECURITY HELPER '======================================================================================================================= Class HTML_Security_Helper_Class '--------------------------------------------------------------------------------------------------------------------- 'Uses Scriptlet.TypeLib to generate a GUID. There may be a better/faster way than this to generate a nonce. Public Function Nonce() dim TL : set TL = CreateObject("Scriptlet.TypeLib") Nonce = Left(CStr(TL.Guid), 38) 'avoids issue w/ strings appended after this token not being displayed on screen, MSFT bug set TL = Nothing End Function '--------------------------------------------------------------------------------------------------------------------- 'Name is probably the combined ControllerName and ActionName of the form generator by convention Public Sub SetAntiCSRFToken(name) Session(name & ".anti_csrf_token") = Nonce() End Sub '--------------------------------------------------------------------------------------------------------------------- 'Returns the CSRF token nonce from the session corresponding to the passed name Public Function GetAntiCSRFToken(name) dim token : token = Session(name & ".anti_csrf_token") If Len(token) = 0 then SetAntiCSRFToken name End If GetAntiCSRFToken = token End Function '--------------------------------------------------------------------------------------------------------------------- 'Removes the current CSRF token nonce for the passed name Public Sub ClearAntiCSRFToken(name) Session.Contents.Remove(name & ".anti_csrf_token") End Sub '--------------------------------------------------------------------------------------------------------------------- 'Returns true if passed nonce matches the stored CSRF token nonce for the specified name, false if not Public Function IsValidAntiCSRFToken(name, nonce) IsValidAntiCSRFToken = (GetAntiCSRFToken(name) = nonce) End Function '--------------------------------------------------------------------------------------------------------------------- 'If an invalid CSRF nonce is passed, sets the flash and redirects using the appropriate MVC.Redirect* method. 'If a valid CSRF nonce is passed, clears it from the cache to reset the state to the beginning. Public Sub OnInvalidAntiCSRFTokenRedirectToAction(token_name, token, action_name) OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, empty End Sub Public Sub OnInvalidAntiCSRFTokenRedirectToActionExt(token_name, token, action_name, params) OnInvalidAntiCSRFTokenRedirectToExt token_name, token, MVC.ControllerName, action_name, params End Sub Public Sub OnInvalidAntiCSRFTokenRedirectTo(token_name, token, controller_name, action_name) OnInvalidAntiCSRFTokenRedirectToExt token_name, token, controller_name, action_name End Sub Public Sub OnInvalidAntiCSRFTokenRedirectToExt(token_name, token, controller_name, action_name, params) If IsValidAntiCSRFToken(token_name, token) then ClearAntiCSRFToken token_name Else ClearAntiCSRFToken token_name Flash.AddError "Invalid form state. Please try again." MVC.RedirectToExt controller_name, action_name, params End If End Sub End Class dim HTML_Security_Helper__Singleton Function HTMLSecurity() If IsEmpty(HTML_Security_Helper__Singleton) Then set HTML_Security_Helper__Singleton = new HTML_Security_Helper_Class End If set HTMLSecurity = HTML_Security_Helper__Singleton End Function %>