AntiXssEncoder in web.config causes QR code to not be generated about googleauthenticator HOT 9 CLOSED

The issue is that the AntiXssEncoder is incompatible with asp:Image when used with base64 image data. It's a general issue.
See https://stackoverflow.com/questions/67839146/data-uri-is-double-encoded-by-antixssencoder

I have added an answer to that SO question explaining one way to fix it.

from googleauthenticator.

@flytzen Well, my original post was certainly a bit off! But, once I ran into the issue, I backtracked. First, I created a new project in Visual Studio, and just roughed in some simplistic code. Then I downloaded the WebSample code from Github and tried that out.

Once I landed on the web.config AntiXssEncoder setting ... I tried that in my test project, my production project, and the WebSample project. Same results across the board. No QR image. Using DevTools in Chrome or Firefox is where I noticed the "bad http request" and that led me down that CORS path, but that was a mistake.

I am not entirely sure how the AntiXssEncoder setting gets involved with http requests. And does taking web.config setting out "elevate" any risks? It's been in our web.config for so long, I just don't know what it's doing (or what it would happen, in production, if we took it out).

It's now a curiosity though! It would be interesting if you are able to figure out anything related to the data: string generated for the URL code...

And, fwiw, your DLL made implementing TOTP so incredibly easy! So, I'd like to a) thank you for that and b) hope you are able to assist!

Thanks in advance.

from googleauthenticator.

FWIW, I pinpointed a web.config difference between the WebSample and my production .net website that was causing the QR code generation to be blocked

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" ... />

Taking out the encoderType attribute enabled the image tag to be set by the generated QR code. (Or vice versa, to confirm, adding that to the test Default page in the WebSample site, shows how the image tag is no longer correctly set.)

That's a pretty big step of course. I haven't yet been able to figure out how to step around that in some other way.

from googleauthenticator.

I doubt this has anything to do with either CORS or that AntiXss value. I'd recommend wrapping some try/catch code around the calling code to see what error you are getting.
If you are developing on Windows but hosting on Linux then be aware of libgdiplus (see the readme). There are also some settings you can set that requires a lot of memory. Again, wrapping your calling code and examining the exception will help you.

from googleauthenticator.

@flytzen As mentioned... I can exactly pinpoint it to the AntiXssEncoder setting in web.config. Using the WebSample website, add that line, the QR image will not generate. Take that line out of web.config and it does generate the QR image. No other changes. Pretty simple/straightforward A/B test.

This is repeatable on Windows 10, on my localhost (using both Visual Studio 2017 and 2021) and also on a Windows 2012 R2 server with IIS; no Linux involved.

I noticed in the Github code, the GenerateSetupCode method calls a private UrlEncode() method. Perhaps there is something slipping through there that the AntiXssEncoder does not like.

from googleauthenticator.

@mnoreen Sorry, my misunderstanding - did not realise you were using the sample site. I will have a look.

from googleauthenticator.

I remember looking this up at one point and it seemed like there was something with data:uris that Chrome didn't like in certain situations with CORS policies, but it sounds like that's not the root issue anyway. I would suspect that a data URI is treated as script in this instance. Definitely worth a look to see if we can work around it.

I wonder if you would end up needing a secondary "endpoint" that actually loads the image... That seems the most likely resolution (having not played with it, of course).

I look forward to seeing how this plays out.

from googleauthenticator.

@flytzen Thank you for finding that stackoverflow post. It worked easily enough! And now I don't have to worry about taking that out of the web.config (for now)...

from googleauthenticator.

@mnoreen Pleasure. Feel free to upvote my answer on the SO post ;)

from googleauthenticator.