Hi,
As far as we know, there are two ways to prevent XSS in ASP.NET: one is HttpUtility, another is to use the Microsoft provided XSS library(AntiXSS). AntiXSS uses the white-listing technique to provide protection against Cross-Site
Scripting (XSS) attacks. HttpUtility uses black-listing technique. For details, please check:
or will the new AntiXssEncoder override the page level HttpUtility?
In my opinion, the AntiXSS will not override the HttpUtility.HtmlEncode("someColumn") as System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode("someColumn", true). It will override the page level.
Best wishes,
Please mark the replies as answers if they help or unmark if not.
Feedback to us
I prefer to use the white list approach i.e. AntiXSS. It seems safer to do so.
Catherine Shan - MSFT
In my opinion, the AntiXSS will not override the HttpUtility.HtmlEncode("someColumn") as System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode("someColumn", true). It will override the page level.
So, in the ASPX pages, do I delete all cases of HttpUtility.HtmlEncode?
I believe AntiXSS should kick in automatically if set it in <httpRuntime> in web.config.
Keep it Simp...
Member
546 Points
261 Posts
AntiXSS Library in .NET v4.5
Dec 05, 2012 01:37 AM|LINK
In my exisitng site, I am using HttpUtility.HtmlEncode in many ASPX pages.
I've just migrated the site to .NET v4.5 and want to incorporate AntiXSS, one of the inbuilt new libraries.
So I added the relevant line to the web.config file.
According to: http://www.asp.net/vnext/overview/aspnet/whats-new#_Toc318097382
It says, all output encoding in ASP.NET automatically uses the new encoding routines.
In the ASPX pages:
Do I have to delete HttpUtility but leave the HtmlEncode?
Or, do I delete all cases of HttpUtility.HtmlEncode?
Or, do nothing?
DarrellNorto...
All-Star
86555 Points
9624 Posts
Moderator
MVP
Re: AntiXSS Library in .NET v4.5
Dec 05, 2012 09:35 AM|LINK
You should be able to do nothing. The new setting enables the AntiXSS library to override the built-in functions with the safer, AntiXSS functions.
From the link:
When the encoderType attribute is set to use the AntiXssEncoder type, all output encoding in ASP.NET automatically uses the new encoding routines.
Darrell Norton's Blog
Please click "Mark as Answer" if this helped you.
Keep it Simp...
Member
546 Points
261 Posts
Re: AntiXSS Library in .NET v4.5
Dec 05, 2012 08:30 PM|LINK
Thanks Darrell. I saw that prior to posting.
HttpUtility and AntiXssEncoder are two different classes.
What is clear is that Eval("someColumn") will be output using the new AntiXSS library if the setting in web.config is declared.
What is not clear is, if I have (from prior to .NET v4.5, in many places):
HttpUtility.HtmlEncode("someColumn")
will it take precednce and override
System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode("someColumn", true)
or will the new AntiXssEncoder override the page level HttpUtility?
I'm guessing HttpUtility will be used because it is declared at the page level; not the globally declared AntiXSSEncoder ... but am unsure
Catherine Sh...
All-Star
23373 Points
2490 Posts
Microsoft
Re: AntiXSS Library in .NET v4.5
Dec 07, 2012 02:19 AM|LINK
Hi,
As far as we know, there are two ways to prevent XSS in ASP.NET: one is HttpUtility, another is to use the Microsoft provided XSS library(AntiXSS). AntiXSS uses the white-listing technique to provide protection against Cross-Site Scripting (XSS) attacks. HttpUtility uses black-listing technique. For details, please check:
Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods
In my opinion, the AntiXSS will not override the HttpUtility.HtmlEncode("someColumn") as System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode("someColumn", true). It will override the page level.
Best wishes,
Feedback to us
Develop and promote your apps in Windows Store
Keep it Simp...
Member
546 Points
261 Posts
Re: AntiXSS Library in .NET v4.5
Dec 07, 2012 02:53 AM|LINK
Thanks Catherine
I prefer to use the white list approach i.e. AntiXSS. It seems safer to do so.
So, in the ASPX pages, do I delete all cases of HttpUtility.HtmlEncode?
I believe AntiXSS should kick in automatically if set it in <httpRuntime> in web.config.
By the way, I tried the following declarativley:
Text='<%# AntiXssEncoder.HtmlEncode(Eval("column").ToString(), true) %>'
but I had to write
Text='<%# System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("column").ToString(), true) %>'
because the namespace System.Web.Security.AntiXss was not being picked up automatically in the ASPX page, despite the assignment in web.config.
Catherine Sh...
All-Star
23373 Points
2490 Posts
Microsoft
Re: AntiXSS Library in .NET v4.5
Dec 07, 2012 03:46 AM|LINK
Hi Keep it Simple,
Thank you for quick reply.
It depends on your reqirement. In my opinion, using AntiXSS is preferred. You can try to use it instead.
In order to resolve this issue, you can try to add the namespace in the page as follows:
Best wishes,
Feedback to us
Develop and promote your apps in Windows Store