开发者

<%: %> vs Microsoft the anti XSS library

开发者 https://www.devze.com 2023-01-05 12:34 出处:网络
With .net 4 there\'s a new <%: %> script enclosure that\'s like <%= %> but does an html encode.People are encouraging the use of this new syntax.

With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax.

My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?

A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I co开发者_开发知识库nfidently use <%: %> knowing it's going to protect my app from XSS like people are saying?


HttpUtility.HtmlEncode uses a black list (principle of exclusions) approach to encoding, which potentially leaves the door ajar for newly discover exploits in the future. The Anti-XSS library (now known as the Web Protection Library and includes code to mitigate SQL injection too) uses a whitelist approach (principle of inclusions) which closes the door a little further and should provide better security.

<%: ... %> is just a shortcut for <%= Server.HtmlEncode(string) %> and therefore provides the security of the encoder used in your application.

You can use any encoder you like with the new <%: ... %> syntax and Phil Haack has a great post on hooking up the Anti-Xss library as the default encoder. Bear in mind that currently Anti-XSS library 3.1 requires medium trust to run - this is being addressed for a future release.


The new syntax should only be used to escape raw text content in HTML. EDIT: and attributes.

For attributes, Javascript, and other contexts, you should still use the Anti-XSS library,

0

精彩评论

暂无评论...
验证码 换一张
取 消