Freigeben über


Microsoft Anti-Cross Site Scripting Library V1.5

Download library from https://www.microsoft.com/downloads/thankyou.aspx?familyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displayLang=en

The libary uses "the principle of inclusions technique where a set of valid characters are first defined and anything outside that set is automatically encoded." Seven main encoding methods cover 7 normal web encoding cases: HTML, HTML attributes, Javascript, URLs, VB Script, XML and XML attributes.

Encoding Method

Should be Used if …

Example / Pattern

HtmlEncode

Un-trusted input is used in HTML output, except when assigning to an HTML attribute.

<a href=”https://www.contoso.com”>Click Here [Un-trusted input]</ a>

HtmlAttributeEncode

Un-trusted input is used as an HTML attribute

<hr noshade size= [Un-trusted input] >

JavaScriptEncode

Un-trusted input is used within a JavaScript context

<script type=”text/javascript”>

[Un-trusted input]

</script>

UrlEncode

Un-trusted input is used in a URL (such as a value in a querystring)

<a href=”https://search.msn.com/results.aspx?q= [Un-trusted-input]” >Click Here!</a>

VisualBasicScriptEncode

Un-trusted input is used within a Visual Basic Script context

<script type=”text/vbscript” language=”vbscript”>

[Un-trusted input]

</script>

XmlEncode

Un-trusted input is used in XML output, except when assigning to a XML attribute.

<xml_tag> [Un-trusted input] </xml_tag>

XmlAttributeEncode

Un-trusted input is used as a XML attribute

<xml_tag attribute= [Un-trusted input] >Some Text</xml_tag>

Note that UrlEncode is only for encoding component of url instead of the whole url. If the whole url passed as one parameter, it should be validated using regular expressions as

^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&amp;%\$#_]*)?$

References:

¾ Document: Microsoft Anti-Cross Site Scripting Library V1.5 - User Guide (after installation library)

¾ Forum of ASP.NET XSS attack: https://forums.asp.net/1107/ShowForum.aspx

¾ How To: Prevent Cross-Site Scripting in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000004.asp

¾ How To: Protect From Injection Attacks in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000003.asp

¾ Design Guidelines for Secure Web Applications, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch04.asp

¾ How To: Use Regular Expressions to Constrain Input in ASP.NET, https://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000001.asp

Comments

  • Anonymous
    March 16, 2007
    Last month at the Bloomington, IL .NET User Group, Dave Bost presented on AJAX. One of the questions