AntiXSS
There are 12 entries for the tag
AntiXSS
Oh how I have wanted to sing about this for months, now it’s public … Due to the popularity of the Microsoft AntiXSS Library, ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of that library. The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace. You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type. However, the easiest approach for using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder by...
In celebration of the bright shining thing in the Seattle sky (I haven’t seen it in a while, I’m scary) I’ve pushed new source for the AntiXSS encoding libraries to codeplex, including specific support for swapping out the default encoders in .NET 4.0. As this is only a beta there are no binaries, you will need to grab the source yourself and compile. Replacing the default encoders in .NET 4.0 will require you to use the DLL from the Net4 project and to make a web.config change to the httpRuntime node as follows <httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>
The runtime...
Get it while it’s hot. I’ll push the source to CodePlex tomorrow – my source VM is in a sorry state, so it’s rebuild time. Technorati Tags: AntiXSS
As I’m almost done the AntiXSS 4.0 release notes have been finalised; Minimum Requirements .NET Framework 3.5 Return Values If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty. Medium Trust Support The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and...
Historically AntiXSS has had problems with surrogates (go on, make the baby jokes, I’ll wait). Unicode surrogates are a way of combining two characters to enable the character range in UTF16 to go beyond 0xFFFF. Characters (or more accurately code points) between 0x000 and 0xFFFF made up the Basic Multilingual Plane however the code points and tables within the BMP are pretty much all used up – so how do you get beyond this? Any code point beyond 0xFFFF is broken down into two characters, a high surrogate (which lies between DB800 and DBFF) and a low surrogate (between DC00...
So this sprint I’ve been playing around with AntiXSS. This makes me very nervous, changing something that quite a few folks internally and externally depend on is a heavy burden! One of the most popular requests was “Can you support language X?” and now the answer is probably yes. I say probably, because we’re covering the UTF-16 code tables – if you wanted support for Byzantine Musical Notation (really, it exists) then you’re out of luck. Now there’s a little problem in all of this – Unicode doesn’t have a concept of language, it has code tables. If you’re...
(And yes, I did mean PlugIns – darned FXCop rules) After a couple of weeks of experimentation with code I think I have the plug-in model complete now. As suggested by Travis in the comments on a previous post as many parameters as possible are now using System.Web.Abstractions. Right now there are three main interfaces: /// <summary>
/// Defines methods that must be implemented for request inspection.
/// </summary>
public interface IRequestInspector : ISecurityRuntimePlugIn
{
/// <summary>
/// Inspects an HTTP request for potential problems.
/// </summary>
/// <param name="request">The...
Phil Haack has just blogged how to write an encoding provider for ASP.NET 4.0 which uses AntiXSS. He beat me to it – one of the reasons I’ve switched WPL to VS2010 is so I can include an assembly which does this in the next public release. Encoding providers will work for both ASP.NET 4.0 WebForms and MVC applications, but the HttpEncoder class only encodes HTML, HTML attributes, HTTP headers and URL and URL paths. If you’re using the JavaScript encoding bits you’ll still have to do that manually. The decoding functionality will be based down to the .NET framework...
Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect. WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the...
Version 3.1 of the Microsoft AntiXSS library (binary download) was released on the 15th September and now comes with HTML sanitation. Not content with dropping a new release of the library Anil’s wife also dropped a release of her own and he’s now on paternity leave, which means the new functionality is undocumented for now. A quick look in the help file shows two new methods, GetSafeHtml and GetSafeHtmlFragment. Both methods have the same three overloads, GetSafeHtml(string) – which takes a string containing the HTML to be made safe GetSafeHtml(TextReader, Stream)...
AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to … ...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...