antixsslibrary

AntiXSS HtmlEncode Textarea line break loss

你。 提交于 2019-12-13 15:12:21
问题 I am developing web application on ASP.NET and I am getting textarea input from users and later display this input on website. While saving input into database I am not encoding input and directly write them into db. If input contains "enter" I don't want to lose line breaks. So I am replacing data like that: Replace("\r\n", " <br /> ") And to prevent XSS attack before displaying I am encoding data using Microsoft's AntiXSS library's Microsoft.Security.Application.Encoder.HtmlEncode function.

Microsoft AntiXSS - Is there a need to Decode?

回眸只為那壹抹淺笑 提交于 2019-12-13 12:30:13
问题 The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided? For example Before applying AntiXSS: lblName.Text = "ABC" + "<script> alert('Inject'); </script"; After applying AntiXSS: lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script"); So, after applying the encoding, the HTML tags show up in my Label control. Is this the desired outcome?

Accepted list approach explain AntiXSS

ぐ巨炮叔叔 提交于 2019-12-13 07:12:44
问题 In one of the site I found that statemement in article: The AntiXSS Library takes an accepted-list approach, whereas the .NET Framework takes a blocked-list approach. Explain me please what does it mean accepted-list approach and blocked-list approach ??? 回答1: In security parlance accepted-list approach is called as a Whitelist approach; blocked-list approach is called as a Blacklist approach. Please refer to the discussion here at What is whitelist and blacklist data? or google Blacklist vs

What is the benefit to make encoderType to AntiXssEncoder in a MVC application?

北城余情 提交于 2019-12-12 14:22:44
问题 In the What’s New page of .Net 4.5, it said that you may set encoderType to use the AntiXssEncoder type. http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382 <httpRuntime ... encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> But what is the benefit to modify the default encoderType ? Thanks. 回答1: AntiXssEncoder uses a whitelist approach to identify malicious inputs

Script exploits in ASP.NET - Is setting validateRequest=“true” good advice?

守給你的承諾、 提交于 2019-12-12 13:13:53
问题 I was reading about ASP.NET Script Exploits, and one of the suggestions is: (emphasis is mine; and the suggestion is #3 in section "Guarding Against Scripting Exploits " in the web page) If you want your application to accept some HTML (for example, some formatting instructions from users), you should encode the HTML at the client before it is submitted to the server . For more information, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.

GetSafeHtmlFragment removing all html tags

岁酱吖の 提交于 2019-12-11 02:23:16
问题 I am using GetSafeHtmlFragment in my website and I found that all of tags except <p> and <a> is removed. I researched around and I found that there is no resolution for it from Microsoft. Is there any superseded for it or is there any solution? Thanks. 回答1: An alternative solution would be to use the Html Agility Pack in conjunction with your own tags white list : using System; using System.IO; using System.Text; using System.Linq; using System.Collections.Generic; using HtmlAgilityPack;

Using MS Anti XSS library for sanitizing HTML

淺唱寂寞╮ 提交于 2019-12-07 03:19:22
问题 In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I covered? Do I need to do anything when the HTML is outputted on a web page? Also, it appears that the white list is kind of a black box. Is there a way to

How to properly sanitize content with AntiXss Library?

泪湿孤枕 提交于 2019-12-07 03:04:06
问题 I have a simple forums application, when someone posts any content, i do: post.Content = Sanitizer.GetSafeHtml(post.Content); Now, i am not sure if i am doing something wrong, or what is going on, but it does not allow almost no html. Even simple <b></b> is too much for it. So i guess that tool is totally useless. Now my question: Can anyone tell me how should i sanitize my users inputs so that they can post some images( <img> tags) and use bold emphasis etc? 回答1: It seems that many people

I use AntiXSS but I still can hack page

放肆的年华 提交于 2019-12-06 13:26:31
I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project: public class AntiXssEncoder : HttpEncoder { public AntiXssEncoder() { } protected override void

Microsoft AntiXSS - Is there a need to Decode?

喜欢而已 提交于 2019-12-06 02:31:29
The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided? For example Before applying AntiXSS: lblName.Text = "ABC" + "<script> alert('Inject'); </script"; After applying AntiXSS: lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script"); So, after applying the encoding, the HTML tags show up in my Label control. Is this the desired outcome? Yes, I think this is desired output. This is because the script is not executed. If the script would
订阅 antixsslibrary