antixsslibrary

问题 I've just started using AntiXSS (4.3.0), mostly to use @Encoder.JavaScriptEncode as described here. I installed AntiXSS from Nuget, then added encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" to <httpRuntime in my Web.config. In my view, I have the following line (within <script> tags): var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId()); Which I would expect to output var userId = 'user-id'; but instead outputs: var userId = 'user-id'; I assume this

问题 I know of several ways to do this, but they all have some downside. Is there an "accepted" way of doing it, that is considered the best? I used to use the Microsoft.Security.Application.AntiXss.JavaScriptEncode() which is great, but AntiXSS has been end-of-lifed because the encoder is now included in .NET as of 4.5. However, for some reason, System.Web.Security.AntiXss.AntiXssEncoder doesn't include the JavaScriptEncode method. There's System.Web.HttpUtility.JavaScriptStringEncode() , but it

问题 MS's AntiXSS (v4.2.1) Sanitizer.GetSafeHtmlFragment(string) method is removing <br> and <br /> tags from my input. Is this supposed to happen? Is there a way around it? It seems to be removing \n and \r characters too, so I cannot call Replace() after the sanitizer has done its job. 回答1: The 4.2.x release was motivated by a security vulnerability detected precisely in the HTML sanitizer. More information about this fact: Microsoft Security Bulletin MS12-007 - Important Microsoft Anti-XSS

问题 How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files. Which one provides more security against XSS? Is it advicable to use the intrinsic support provided by ASP.net? 回答1: There are several differences. First of all the Microsoft AntiXss library uses white

问题 How do I properly encode JavaScript in the following context: <html> ... <script type="text/javascript"> var settings = @Html.PleaseEncode(settings.ToJson()); // ... </script> </html> The values in my JSON objects are set by the application administrator, so I assume they need properly encoded -- both for HTML and JavaScript. I'm using System.Web.Script.Serialization.JavaScriptSerializer to do the JSON encoding. It looks like JavaScriptSerializer does some encoding as it outputs the text

问题 Can I include Microsoft's Anti-XSS library in my ASP.Net 2.0 application without Visual Studio? If so, how? I've already downloaded and installed the library. From Microsoft's download page: "Reference the library in your application and use it." Researching this turns up instructions for doing so with Visual Studio, but not without. This S.O. answer links to a few promising articles, but those also assume Visual Studio to start. (As for why I can't use Visual Studio: my manager says "No.")

问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:

问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:

问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti

问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti