AntiXss library not working well

StackOverflow https://stackoverflow.com/questions/5497795

Question

I am using AntiXssLibrary 4.0 but it not escaping \x3c. What is my mistake?

I have configure the AntiXss to be a default HttpEncoder based on here http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx and set the encoderType of httpRuntime in web.config.

I also create AntiXSSEncoder derived from HttpEncoder but instead of deprecated

output.Write(AntiXss.HtmlEncode(value));

I use this to override the HtmlEncode method:

output.Write(Encoder.HtmlEncode(value));

Currently if I browse this:

http://localhost:28453/?k=sss\x3cscript\x3ealert%28\x27haaha\x27%29;\x3c/script\x3e

The alert "haaha" shows the AntiXss library is not working. I just want to make like this show http://channel9.msdn.com/Events/MIX/MIX10/FT05 see on the minute 13.

To be confirm I also set this in an action:

    public ActionResult Index(string k)
    {
        ViewBag.k = k;
        ViewBag.j = Microsoft.Security.Application.Encoder.HtmlEncode(k);
        return View();
    }

Then in the view I put this:

<script type="text/javascript">
    $(document).ready(function () {
        var a = '@ViewBag.k';
        var b = '@ViewBag.j';
    $('.resultName:first').html(b);
});
</script>

From the browser, the value a and b is the same which is shows the AntiXss does not working well!

<script type="text/javascript">
    $(document).ready(function () {
        var a = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        var b = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        $('.resultName:first').html(b);
    });
</script>

Update: It only happened when I use the AntiXssEncoder as encoder type. When I comment this and rebuild. the single quote ' escaped by the MVC. Seems the AntiXss disabled! am I missing something? I want this working because I want like \x3c also escaped like the video.

<!--<httpRuntime encoderType="AntiXSSEncoder, MVCWeb"/>-->
Was it helpful?

Solution

You're right in that, since 4.0 .NET has encoded apostrophes in HTMLEncode, and AntiXSS does not, because, strictly speaking it's not necessary for HTML strings, only for attribute strings.

Now once you swap AntiXSS in as the encoder that assumption no longer applies, and people do, willy-nilly, apply Html encoding everywhere.

So when I push the next version of AntiXSS it will encode apostrophes all the time.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top