开发者

AntiXss library not working well

问答 作者:

I am using AntiXssLibrary 4.0 but it not escaping \x3c. What is my mistake?

I have configure the AntiXss to be a default HttpEncoder based on here http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx and set the encoderType of httpRuntime in web.config.

I also create AntiXSSEncoder derived from HttpEncoder but instead of deprecated

output.Write(AntiXss.HtmlEncode(value));

I use this to override the HtmlEncode method:

output.Write(Encoder.HtmlEncode(value));

Currently if I browse this:

http://localhost:28453/?k=sss\x3cscript\x3ealert%28\x27haaha\x27%29;\x3c/script\x3e

The alert "haaha" shows the AntiXss library is not working. I just want to make like this show http://channel9.msdn.com/Events/MIX/MIX10/FT05 see on the minute 13.

To be confirm I also set this in an action:

    public ActionResult Index(string k)
    {
        ViewBag.k = k;
        ViewBag.j = Microsoft.Security.Application.Encoder.HtmlEncode(k);
        return View();
    }

Then in the view I put this:

<script type="text/javascript">
    $(document).ready(function () {
        var a = '@ViewBag.k';
        var b = '@ViewBag.j';
    $('.resultName:first').html(b);
});
</script>

From the browser, the val开发者_JAVA技巧ue a and b is the same which is shows the AntiXss does not working well!

<script type="text/javascript">
    $(document).ready(function () {
        var a = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        var b = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        $('.resultName:first').html(b);
    });
</script>

Update: It only happened when I use the AntiXssEncoder as encoder type. When I comment this and rebuild. the single quote ' escaped by the MVC. Seems the AntiXss disabled! am I missing something? I want this working because I want like \x3c also escaped like the video.

<!--<httpRuntime encoderType="AntiXSSEncoder, MVCWeb"/>-->

You're right in that, since 4.0 .NET has encoded apostrophes in HTMLEncode, and AntiXSS does not, because, strictly speaking it's not necessary for HTML strings, only for attribute strings.

Now once you swap AntiXSS in as the encoder that assumption no longer applies, and people do, willy-nilly, apply Html encoding everywhere.

So when I push the next version of AntiXSS it will encode apostrophes all the time.

继续阅读:antixsslibraryasp.net-4.0asp.net-mvc-3xss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9