Microsoft Anti-Cross Site Scripting Library V1.5

Download library from https://www.microsoft.com/downloads/thankyou.aspx?familyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displayLang=en

The libary uses "the principle of inclusions technique where a set of valid characters are first defined and anything outside that set is automatically encoded." Seven main encoding methods cover 7 normal web encoding cases: HTML, HTML attributes, Javascript, URLs, VB Script, XML and XML attributes.

Encoding Method	Should be Used if …	Example / Pattern
HtmlEncode	Un-trusted input is used in HTML output, except when assigning to an HTML attribute.	<a href=”https://www.contoso.com”>Click Here [Un-trusted input]</ a>
HtmlAttributeEncode	Un-trusted input is used as an HTML attribute	<hr noshade size= [Un-trusted input] >
JavaScriptEncode	Un-trusted input is used within a JavaScript context	<script type=”text/javascript”> … [Un-trusted input] … </script>
UrlEncode	Un-trusted input is used in a URL (such as a value in a querystring)	<a href=”https://search.msn.com/results.aspx?q= [Un-trusted-input]” >Click Here!</a>
VisualBasicScriptEncode	Un-trusted input is used within a Visual Basic Script context	<script type=”text/vbscript” language=”vbscript”> … [Un-trusted input] … </script>
XmlEncode	Un-trusted input is used in XML output, except when assigning to a XML attribute.	<xml_tag> [Un-trusted input] </xml_tag>
XmlAttributeEncode	Un-trusted input is used as a XML attribute	<xml_tag attribute= [Un-trusted input] >Some Text</xml_tag>

Note that UrlEncode is only for encoding component of url instead of the whole url. If the whole url passed as one parameter, it should be validated using regular expressions as

^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&%\$#_]*)?$

References:

¾ Document: Microsoft Anti-Cross Site Scripting Library V1.5 - User Guide (after installation library)

¾ Forum of ASP.NET XSS attack: https://forums.asp.net/1107/ShowForum.aspx

¾ How To: Prevent Cross-Site Scripting in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000004.asp

¾ How To: Protect From Injection Attacks in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000003.asp

¾ Design Guidelines for Secure Web Applications, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch04.asp

¾ How To: Use Regular Expressions to Constrain Input in ASP.NET, https://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000001.asp

Comments

• Anonymous
  March 16, 2007
  Last month at the Bloomington, IL .NET User Group, Dave Bost presented on AJAX. One of the questions