tags:

views:

179

answers:

1
Q: 

XBAP deep linking. Possible security threats?

I have an XBAP WPF application which displays various pages inside of a Frame. I was thinking about allowing deep linking into this app. So that users can link to something like http://myhost/myapp.xbap?page=MyPage and I then when app loads I automatically set MyPage.xaml as a source of my main frame.

I think I have an understanding of how to achieve this. What I don't know if I should do any sanitizing of such parameter to prevent possible security vulnerabilities? Or is it not a concern in such scenario in WPF?

A: 

I think it all depends on how you handle the dynamic loading of your XAML. If you're just building the XAML filename straight from the parameter, you could potentially allow the user to load up whatever XAML they want in your application (including anything you might not want the user to have access to, if that's a possibility within your application.

You might want to think about having some kind of mapping file that maps parameters to XAML files. That way you can check to make sure the parameter is valid and the user can only access the XAML elements that you want to give them access to.

Other than that...good luck!

Justin Niessner  2009-05-05 12:50:13
Yes, I was talking about plain appending of ".xaml" to the parameter. In this particular scenario I'm not concerned with user loading some xaml file from my app that they shouldn't load. The only page that is not supposed to go there is the main page with my form (and I can live with someone passing it's name as a parameter).What interests me is if there are some ways for malicious users to specify some external xaml file or do anything else that could compromise security or trick viewing person into doing something they shouldn't.
Alan Mendelevich  2009-05-05 13:07:29
It all depends on how you implement the code that dynamically loads the xaml. If you're just appending .xaml, they could include a path (local or net) which would allow them to load external xaml into your app environment. I would still stick with the mapping method.
Justin Niessner  2009-05-05 13:10:10

related questions

Can someone point me to some guides for WPF
WPF Listbox style with a button
So what am I missing with this here WPF?
When is NavigationService initialized?
WPF Anti aliasing workaround
WPF Image UriSource and Data Binding
How to stop an animation in C# / WPF?
Rich GUI OS X Frameworks?
What is the correct way to create a single instance application?
Enabling a button in WPF depending on ListBox.SelectedIndex
How to apply multiple styles in WPF
How to get list of installed BitmapEncoders/Decoders (the WPF world)?
Preventing Memory Leaks with Attached Behaviours
Variable Bindings in WPF
How to host a WPF form in a MFC application
WPF - Sorting a composite collection
WPF: How to style or disable the default ContextMenu of a TextBox
What WPF books would you recommend?
I don't grok the WPF command pattern
Instrumenting a UI
What real world WPF applications are out there?
What is the value-binding syntax in xaml?
WPF Databinding
Numeric Data Entry in WPF
Hiding inherited members in C#