Build "exit" page using Classic ASP avoiding major Cross Site Scripting pitfalls

Question

I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for.

The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every site we manage.

This is the crux of the problem. The current code pulls a variable from the query string to create the "continue" link in the new window. This obviously creates many problems in the form of cross site scripting.

How do I approach this update to eliminate most (if not all) of the cross site scripting issues using vbScript/ASP.

The code I'm using is below.

<%@ Language = vbScript %>
<% Option Explicit %>

<%
Dim strLink
strLink = Request.QueryString("site")
strLink = Replace(strLink, "<", "&lt")
strLink = Replace(strLink, ">", "&gt;")
strLink = Replace(strLink, chr(34), "")
strLink = Replace(strLink, "script", "", 1, -1, 1)
strLink = Replace(strLink, "onclick", "", 1, -1, 1)
strLink = Replace(strLink, "ondblclick", "", 1, -1, 1)
strLink = Replace(strLink, "onmousedown", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseover", "", 1, -1, 1)
strLink = Replace(strLink, "onmousemove", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseout", "", 1, -1, 1)
strLink = Replace(strLink, "onkeypress", "", 1, -1, 1)
strLink = Replace(strLink, "onkeydown", "", 1, -1, 1)
strLink = Replace(strLink, "onkeyup", "", 1, -1, 1)
strLink = Replace(strLink, "onfocus", "", 1, -1, 1)
strLink = Replace(strLink, "onblur", "", 1, -1, 1)
strLink = Replace(strLink, "&&", "")
strLink = Replace(strLink, "##", "")
strLink = Replace(strLink, "&#", "")
%>

<a href="<%= strLink %>">Continue</a>

Answer 1

This is what I recommend for HTML sanitizing -

HTML Whitelist is the latest in the "cool little Python Web service thrown up on App Engine" by my good colleague DeWitt Clinton.

It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version.

http://html-whitelist.appspot.com/

Answer 2

You need to implement an approach that follows the concept of "Positive Security Model". You should parse the "site" variable and make sure it conforms explicitly to what is allowed, rather than write something that looks for what should be disallowed. This will make your approach much more resilient to attacks, especially unanticipated ones.

I suggest writing a regex (or ask how to write such a regex on stackoverflow).

Also, while the web service posted by Michael is pretty cool, you should evaluate if it is acceptable or not to take a dependency on such a thing.

Answer 3

You could add logic to continue page to ensure that it is only called by a page on one of your sites either based on url or IP address. You could also pass a time and hashed code through for added security.