Anti XSS and Classic ASP.

Question

Im currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from MS on the net and i was wondering if this would work with a classic application?

If not do you have any ideas how i could go about sanatizing the strings?

Any help at all would be brilliant.

Thanks

Answer 1

Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.

Answer 2

To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions

Server.HTMLEncode(string)

The two most important countermeasures to prevent cross-site scripting attacks are to:

• Constrain input.
• Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)

Answer 3

When functions don't exist in classic ASP, write them.

• http://snipplr.com/view/12446/add-and-strip-slashes/
• http://snipplr.com/view/12207/htmlspecialchars/
• http://snipplr.com/view/10608/striptags/

Answer 4

If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp
with objRegExp
    .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"
    .IgnoreCase = varIgnoreCase
    .Global = True
end with
cleanString = objRegExp.replace(originalString, "")