views:

112

answers:

2

With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax.

My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?

A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it's going to protect my app from XSS like people are saying?

+1  A: 

The new syntax should only be used to escape raw text content in HTML. EDIT: and attributes.

For attributes, Javascript, and other contexts, you should still use the Anti-XSS library,

SLaks
The Anti-XSS library provides safer encoding for HTML and attribute encoding as well
orip
+5  A: 

HttpUtility.HtmlEncode uses a black list (principle of exclusions) approach to encoding, which potentially leaves the door ajar for newly discover exploits in the future. The Anti-XSS library (now known as the Web Protection Library and includes code to mitigate SQL injection too) uses a whitelist approach (principle of inclusions) which closes the door a little further and should provide better security.

<%: ... %> is just a shortcut for <%= Server.HtmlEncode(string) %> and therefore provides the security of the encoder used in your application.

You can use any encoder you like with the new <%: ... %> syntax and Phil Haack has a great post on hooking up the Anti-Xss library as the default encoder. Bear in mind that currently Anti-XSS library 3.1 requires medium trust to run - this is being addressed for a future release.

Russ Cam
I didn't know that about hooking up <%: %> to a different encoder. That is pretty cool.
metanaito