Server tags in CSS

[wwarnick]

Hi,

We've been using the AjaxControlToolkit for many years, but just recently, a security scan flagged a "source code leakage" in some CSS returned by WebResource.axd. Specifically, it contained <%= %> server blocks.

Most of the CSS is normal, but the issue is with the following two CSS selectors:

• .ajax__tab_xp .ajax__tab_header_bottom .ajax__tab_active .ajax__tab_inner
• .ajax__tab_xp .ajax__tab_header_bottom .ajax__tab_active .ajax__tab_tab

Both of them have a <%=WebResource()%> value. Those server blocks were never replaced, so not only is the scan flagging it, but no background image is shown for elements that fit those specific selectors.

Here is the CSS:

.ajax__tab_xp .ajax__tab_header_bottom .ajax__tab_active .ajax__tab_inner {
     background-image:url('<%=WebResource(""AjaxControlToolkit.Images.Tabs.Bottom-ActiveLeft.gif"")%>')
}
.ajax__tab_xp .ajax__tab_header_bottom .ajax__tab_active .ajax__tab_tab {
     background-image:url('<%=WebResource(""AjaxControlToolkit.Images.Tabs.Bottom-Active.gif"")%>')
}

Here is the full CSS file: code leakage.css.txt

We are using AjaxControlToolkit version 20.1.0 from NuGet. I tested it in both Chrome and Firefox and it shows up in both. The site is deployed with IIS.

I've never seen this before. Am I doing something wrong on my end? Let me know if you need more information.

Thanks in advance!