antixsslibrary

AntiXSS JavaScriptEncode gets HTML encoded?

时间秒杀一切 提交于 2021-01-28 05:30:12
问题 I've just started using AntiXSS (4.3.0), mostly to use @Encoder.JavaScriptEncode as described here. I installed AntiXSS from Nuget, then added encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" to <httpRuntime in my Web.config. In my view, I have the following line (within <script> tags): var userId = @Encoder.JavaScriptEncode(User.Identity.GetUserId()); Which I would expect to output var userId = 'user-id'; but instead outputs: var userId = 'user-id'; I assume this

In ASP.NET 4.5, how should I encode a string to be used as a JavaScript variable, to prevent XSS attacks

假如想象 提交于 2020-01-01 14:26:37
问题 I know of several ways to do this, but they all have some downside. Is there an "accepted" way of doing it, that is considered the best? I used to use the Microsoft.Security.Application.AntiXss.JavaScriptEncode() which is great, but AntiXSS has been end-of-lifed because the encoder is now included in .NET as of 4.5. However, for some reason, System.Web.Security.AntiXss.AntiXssEncoder doesn't include the JavaScriptEncode method. There's System.Web.HttpUtility.JavaScriptStringEncode() , but it

Is Sanitizer.GetSafeHtmlFragment supposed to remove <br> elements?

▼魔方 西西 提交于 2019-12-30 08:59:07
问题 MS's AntiXSS (v4.2.1) Sanitizer.GetSafeHtmlFragment(string) method is removing <br> and <br /> tags from my input. Is this supposed to happen? Is there a way around it? It seems to be removing \n and \r characters too, so I cannot call Replace() after the sanitizer has done its job. 回答1: The 4.2.x release was motivated by a security vulnerability detected precisely in the HTML sanitizer. More information about this fact: Microsoft Security Bulletin MS12-007 - Important Microsoft Anti-XSS

Anti XSS support in ASP.net Vs AntiXss Lib

百般思念 提交于 2019-12-25 02:24:59
问题 How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files. Which one provides more security against XSS? Is it advicable to use the intrinsic support provided by ASP.net? 回答1: There are several differences. First of all the Microsoft AntiXss library uses white

How to encode embedded javascript in Razor view in ASP.NET MVC 3?

久未见 提交于 2019-12-23 17:22:55
问题 How do I properly encode JavaScript in the following context: <html> ... <script type="text/javascript"> var settings = @Html.PleaseEncode(settings.ToJson()); // ... </script> </html> The values in my JSON objects are set by the application administrator, so I assume they need properly encoded -- both for HTML and JavaScript. I'm using System.Web.Script.Serialization.JavaScriptSerializer to do the JSON encoding. It looks like JavaScriptSerializer does some encoding as it outputs the text

How to Include Anti-XSS in ASP.Net 2.0 Without Visual Studio

£可爱£侵袭症+ 提交于 2019-12-23 14:19:42
问题 Can I include Microsoft's Anti-XSS library in my ASP.Net 2.0 application without Visual Studio? If so, how? I've already downloaded and installed the library. From Microsoft's download page: "Reference the library in your application and use it." Researching this turns up instructions for doing so with Visual Studio, but not without. This S.O. answer links to a few promising articles, but those also assume Visual Studio to start. (As for why I can't use Visual Studio: my manager says "No.")

I use AntiXSS but I still can hack page

跟風遠走 提交于 2019-12-22 21:30:57
问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:

I use AntiXSS but I still can hack page

独自空忆成欢 提交于 2019-12-22 21:30:30
问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:

How to use C# to sanitize input on an html page?

心不动则不痛 提交于 2019-12-17 04:21:38
问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti

How to use C# to sanitize input on an html page?

巧了我就是萌 提交于 2019-12-17 04:21:08
问题 Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" 回答1: We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) - GitHub link Is fully customizable, e.g configure which elements should be removed. see wiki Is actively maintained Doesn't have the problems like Microsoft Anti