Last post Mar 04, 2009 05:08 AM by calvinm
Jan 27, 2009 07:01 PM|neon123|LINK
Could someone please help me to understand if (and how!) I can use AntiXss to filter out Xss in those 2 cases:
<asp:LinkButton id="LinkButton1" CssClass="Button" runat="server" CommandArgument='<%# DataBinder.Eval(Container.DataItem,"UserName") %>'><%# DataBinder.Eval(Container.DataItem,"UserName") %></asp:LinkButton>
What method out of the library can I use to make sure no unwanted code injected into the Command Argument ?
2. Image Source
<img scr='<% TextBox1.Text %>' />
Jan 29, 2009 04:02 PM|jstrosch|LINK
For case 1it depends on what you mean. If you want to make sure that the data coming from the datasource is properly encoded than I typically do something like:
<asp:LinkButton CommandArgument='<%# SanitizeOutput(Convert.ToString(Eval("UserName"))) %>' runat="server" etc....
And in the code behind i would define SanitizeOutput as follows:
public string SanitizeOutput (string output)
// or you could download the antixss library from ms and use: return AntiXss.HtmlEncode(output);
This will help ensure that the data is sanitized before it is render in the browser. For case two I would use the same Server.HtmlEncode or AntiXss.HtmlEncode. The AntiXss library is at http://msdn.microsoft.com/en-us/library/aa973813.aspx. It is in the
Microsoft.Security.Application namespace. Hope this helps.
Jan 29, 2009 05:48 PM|neon123|LINK
Jan 30, 2009 09:49 AM|jstrosch|LINK
that would prevent the cases listed there by eliminating the semicolon. I would just avoid allowing user input as the value for the image src property.
Jan 30, 2009 10:36 AM|neon123|LINK
Well, some times the source of the data is not under your control. It might be not a user input and instead come from some kind of a feed which you don't trust...
Jan 30, 2009 10:57 AM|jstrosch|LINK
as it is very difficult to write a comprehensive list of all the values you should block. Another possible solution might be to use a regex to match against only a certain set of charactesr you allow, such as: [a-z0-9&?\.]. The regex could match the beginning
of the url ( http:// or www. or http://www. ) and then the rest of the url could be matched against the characters you allow, so something like i mentioned above. I'm not very good with regex's so I won't try to write one. I'm kind of grasping at straws
now, sorry i haven't been much help.
Feb 05, 2009 06:26 AM|TATWORTH|LINK
Instead of ANTI-XSS. I suggest that you use the IsValidHtmlFragment (CommonData library at
http://www.CodePlex.Com/CommonData) to parse any HTML input. You can prepare some examples of what should and should be allowed, I can advise you better.
Mar 04, 2009 05:08 AM|calvinm|LINK
Any idea if this can be configured to ignore certain tags? Just seems a string replace function to undo encoding afterwards is a bit silly.