ansaurus

Question

Microsoft Web Protection Library Can you have your own whitelist? + other questions

Answer 1

A:

Do I have to determine line by line which one to use

Yes, you have to decide which one to use. But that is not an issue with the library. Each kind of output needs its own enocding.

If you have

<script language="JavaScript" >
alert('<%=  Model.PropertyName %>')
 </script>

You need to Javascript Encode (The easiest attack would use ' which is not handled by HtmlEnocde)

But if you have

<a href="ur"><%= Model.PropertyName %></a>

You need to Html.Encode

I think GetSafeHtmlFragment is for usage as an Html-Attribute, but I am not so shure here.

I am also wondering do you need to do anything special to get it to work with asp.net mvc?

Just add the namespace to your view and us AntiXss.HtmlEncode("").

I have seen a a post where it was shown how you can configure ASP.NET MVC to use the AntiXss library for the handling of <%: %> but I think it doesn't help that much, because the helpers stille use the a hardcoded encoder.

Malcolm Frexner 2010-06-19 19:19:56

Well I am kinda confused like this is my scenario. I got a rich html editor I want to make a white list(so stuff like script above is remove - not encoded). I then want to only allow attributes and tags that I accept(such as bold). So I am wondering can XSS do this can I add bold to the accepted list? Or do I have to continue to use HtmlAgilityPack with my own list? 2nd does any of such as getSafeHtml or SafeHtmlFragement do both tags and attributes and urls. I rather have it do all the encoding for those 3?

chobo2 2010-06-19 19:43:26

Since like what my whitelist that I made with htmlAgilityPack is lacking the defense in my attributes. Like it does not take in account for javascript in href tags and that crap.

chobo2 2010-06-19 19:44:39

Ok thats a different story: You need to sanitize input.GetSafeHtmlFragment should do the job according to https://blogs.msdn.com/b/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx.If there is no way to change the whitelist and you dont want to compile the library yourself you can do this:Html-Encode the items of your whitelist. Replace the occurences of the original tags from the whitelist in the text by their encoded counterparts. Sanitize the text. In the sanitized text replace the encoded tokens from the whitelist by the unencoded tokens.

Malcolm Frexner 2010-06-19 21:11:00

Well if I can't make a custom whitelist with MS Library then I will just continue to use htmlAgilitPack.

chobo2 2010-06-19 21:22:56

ansaurus

tags:

views:

answers:

Microsoft Web Protection Library Can you have your own whitelist? + other questions

related questions