tags:

views:

112

answers:

2
+2  Q: 

<%: %> vs Microsoft the anti XSS library

With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax.

My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?

A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it's going to protect my app from XSS like people are saying?

+1  A: 

The new syntax should only be used to escape raw text content in HTML. EDIT: and attributes.

For attributes, Javascript, and other contexts, you should still use the Anti-XSS library,

SLaks  2010-06-28 21:43:27
The Anti-XSS library provides safer encoding for HTML and attribute encoding as well
orip  2010-06-30 14:36:58
+5  A: 

HttpUtility.HtmlEncode uses a black list (principle of exclusions) approach to encoding, which potentially leaves the door ajar for newly discover exploits in the future. The Anti-XSS library (now known as the Web Protection Library and includes code to mitigate SQL injection too) uses a whitelist approach (principle of inclusions) which closes the door a little further and should provide better security.

<%: ... %> is just a shortcut for <%= Server.HtmlEncode(string) %> and therefore provides the security of the encoder used in your application.

You can use any encoder you like with the new <%: ... %> syntax and Phil Haack has a great post on hooking up the Anti-Xss library as the default encoder. Bear in mind that currently Anti-XSS library 3.1 requires medium trust to run - this is being addressed for a future release.

Russ Cam  2010-06-28 21:46:16
I didn't know that about hooking up <%: %> to a different encoder. That is pretty cool.
metanaito  2010-06-30 01:54:59

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps