You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user inputs certain ASCII control characters into any input field, the entire application crashes (backend throws an exception). Instead of crashing, the application should handle such inputs gracefully by sanitizing the input, preventing the entry of control characters, or displaying an appropriate error message to the user.
Steps To Reproduce
Open any altinn3 application.
Navigate to any input field (e.g., text box, form field)
Input any of the following ASCII control characters:
0x01 (SOH - Start of Heading)
0x02 (STX - Start of Text)
0x03 (ETX - End of Text)
0x04 (EOT - End of Transmission)
0x05 (ENQ - Enquiry)
0x06 (ACK - Acknowledge)
0x07 (BEL - Bell)
0x08 (BS - Backspace)
0x0B (VT - Vertical Tab)
0x0C (FF - Form Feed)
0x0E (SO - Shift Out)
0x0F (SI - Shift In)
0x10 (DLE - Data Link Escape)
0x11 (DC1 - Device Control 1)
0x12 (DC2 - Device Control 2)
0x13 (DC3 - Device Control 3)
0x14 (DC4 - Device Control 4)
0x15 (NAK - Negative Acknowledge)
0x16 (SYN - Synchronous Idle)
0x17 (ETB - End of Transmission Block)
0x18 (CAN - Cancel)
0x19 (EM - End of Medium)
0x1A (SUB - Substitute)
0x1B (ESC - Escape)
0x1C (FS - File Separator)
0x1D (GS - Group Separator)
0x1E (RS - Record Separator)
0x1F (US - Unit Separator)
Observe that the application crashes upon processing the input.
Additional Information
Tested on following versions:
Altinn.App.Core: 7.15.2, 8.3.5, 8.5.0-preview.7
Altinn.App.Api: 7.15.2, 8.3.5, 8.5.0-preview.7
Frontend: 3.68.6, 4.8.2, 4.9.0-rc.1
Error Message from API/Backend:
There was an error generating the XML document. '�', hexadecimal value 0x02, is an invalid character.
Relevant Stack Trace:
System.InvalidOperationException:
at System.Xml.Serialization.XmlSerializer.Serialize
...
Inner exception System.ArgumentException handled at System.Xml.Serialization.XmlSerializer.Serialize:
at System.Xml.XmlUtf8RawTextWriter.WriteElementTextBlock
...
Frontend Validation: The frontend should validate and sanitize user input to prevent ASCII control characters from being sent to the backend/API.
Backend Validation: The backend should also implement validation or sanitization of input data, since the same data can be sent directly to the API (maskinell innrapportering).
The text was updated successfully, but these errors were encountered:
A patch for this was merged here, but has not been pushed to a release yet.
@trymval if you want to test locally, you just need the latest from main@app-lib-dotnet and a reference to this project in your local app. I'm not entirely sure when the next nuget release is planned for.
Description of the bug
When a user inputs certain ASCII control characters into any input field, the entire application crashes (backend throws an exception). Instead of crashing, the application should handle such inputs gracefully by sanitizing the input, preventing the entry of control characters, or displaying an appropriate error message to the user.
Steps To Reproduce
Open any altinn3 application.
Navigate to any input field (e.g., text box, form field)
Input any of the following ASCII control characters:
Observe that the application crashes upon processing the input.
Additional Information
Tested on following versions:
Error Message from API/Backend:
Relevant Stack Trace:
Exception trace showing this happening in production.
Suggested Improvements:
The text was updated successfully, but these errors were encountered: