antixsslibrary

How to handle encoded inputs that need to be edited?

Using Microsoft's AntiXssLibrary, how do you handle input that needs to be edited later? For example: User enters: <i>title</i> Saved to the database as: <i>title</i> On an edit page, in a text box it displays something like: &lt;i&gt;title&lt;/i&gt; because I've encoded it before displaying in the text box. User doesn'...

Javascript Rich Text Editor and associated class to filter and clean the input?

I realise there are several rich text editors for jQuery but I cannot find any that have an associated class that does the filtering and cleaning required to accept the input into a database. Does such a class exist? I am particularly interested for a PHP library, but .NET would be interesting too. ...

Is there a good reason why AntiXss.JavaScriptEncode wraps result in single quotes?

I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional. ...

Is the Microsoft AntiXSS library useful and do I need it if I'm using server controls?

I've downloaded and looked at the Microsoft AntiXSS library, but I'm not 100% sure I need to use it for server controls (asp:textbox, etc). Everything is fine when I use it with a standard html control (input, etc). It looks like the output is encoded twice when I use the antixss lib on the server controls. I'm currently only using the...

Should I use the Anti-XSS Security Runtime Engine in ASP.NET MVC?

I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side controls in ASP.NET MVC, it does not seem to be a viable solution for ASP.NET MVC. Is this corre...

Is The Whitelist Configurable In The MS Anti_XSS Library 3.0?

I've just downloaded and taken a look at the new MS Anti_XSS 3.0 release. I've read through the help file, but I've found no mention of how to modify the whitelist it uses. Can items be added? Can items be removed? ...

Can HTML be executed while being read from or inserted into a textbox?

Hello, I have a question regarding ANTIXSS implementation. If I was to read values from a textbox on a page and store it into a database directly and then read value from the database and insert it into a textbox, then is there a chance that the tag or similar could be executed in the process ? Regards, Andy ...

Does anyone use Fortify 360 with Classic ASP? a Header Manipulation vulnerability story

Good morning, everyone. I'm on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I'm working on is a combination of Classic ASP(VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360. Let's say that this is a current classic ASP page in the application...

What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?

I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode? Indeed, I am not the...

XSS - SQL Injection -- Owasp vs AntiXss Vs Microsoft Anti-Cross Site Scripting Library

Hello, We are looking at using a library to help us detect SQL injections. We are using sprocs and parametrized statements, but for the sake of this post that we are only using some sore of library that detects/ verifies user input. Whats the best one? Easiest to implement? Easiest to update/manage? Why prefer one over the othe...

Why use Microsoft AntiXSS library?

When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing? Also, in the Anti XSS library, where do I specify the whitelist? ...

Using MS Anti XSS library for sanitizing HTML

In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I ...

Suggestions for where to put AntiXSS calls in ASP.NET MVC

I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The libra...

Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize before saving to the database or before rendering the untrusted input into the webpage? Is ...

How to encode JavaScript text inside an XML attribute?

I have a piece of JavaScript string, coming from an untrusted source, embedded inside of an onclick tag and I'm not sure what the correct way of encoding this string is. Here is a simplification of the HTML: <input type="button" onclick="alert([ENCODED STRING HERE]);" value="Click me" /> I use the Microsoft AntiXss library which c...

What is the best way to store WMD input/markdown in SQL server and display later?

I'm looking at using WMD in my project instead of my existing RadEditor. I have been reading a few posts on how to store and retrieve the data, and I want to make sure I have the concept correct before proceeding. If my research is correct, here is what I should be doing. I should store the editor data twice (Once as HTML and once as...

<%: %> vs Microsoft the anti XSS library

With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax. My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library? A Microsoft security person once told me to never just use HTML Encode as it doesn't...

html agility pack vs antixss

Hi All, It seems to me just using the html agility pack would work to prevent xss (parse then get innertext). Would it be repetitive to use antixss after using hap? Thanks, rod. ...

Fortify and AntiXSS

My company requires our ASP.NET code to pass a Fortify 360 scan before releasing the code. We use AntiXSS everywhere to sanitize HTML output. We also validate input. Unfortunately, they recently changed the "template" Fortify was using and now it's flagging all our AntiXSS calls as "Poor Validation". These calls are doing things like Ant...

would i need antixss for report printing

Hi All, I have a report web page that allows you to export records shown to an excel file. I'm using AntiXss to display them on the screen but when a user opts to export to file and I go and get the records again from db will I need to use AntiXss to scrub for reporting purposes? Thanks, rod. ...