Microsoft Anti-Cross Site Scripting Library V1.5
Download library from https://www.microsoft.com/downloads/thankyou.aspx?familyId=EFB9C819-53FF-4F82-BFAF-E11625130C25&displayLang=en
The libary uses "the principle of inclusions technique where a set of valid characters are first defined and anything outside that set is automatically encoded." Seven main encoding methods cover 7 normal web encoding cases: HTML, HTML attributes, Javascript, URLs, VB Script, XML and XML attributes.
Encoding Method |
Should be Used if … |
Example / Pattern |
HtmlEncode |
Un-trusted input is used in HTML output, except when assigning to an HTML attribute. |
<a href=”https://www.contoso.com”>Click Here [Un-trusted input]</ a> |
HtmlAttributeEncode |
Un-trusted input is used as an HTML attribute |
<hr noshade size= [Un-trusted input] > |
JavaScriptEncode |
Un-trusted input is used within a JavaScript context |
<script type=”text/javascript”> … [Un-trusted input] … </script> |
UrlEncode |
Un-trusted input is used in a URL (such as a value in a querystring) |
<a href=”https://search.msn.com/results.aspx?q= [Un-trusted-input]” >Click Here!</a> |
VisualBasicScriptEncode |
Un-trusted input is used within a Visual Basic Script context |
<script type=”text/vbscript” language=”vbscript”> … [Un-trusted input] … </script> |
XmlEncode |
Un-trusted input is used in XML output, except when assigning to a XML attribute. |
<xml_tag> [Un-trusted input] </xml_tag> |
XmlAttributeEncode |
Un-trusted input is used as a XML attribute |
<xml_tag attribute= [Un-trusted input] >Some Text</xml_tag> |
Note that UrlEncode is only for encoding component of url instead of the whole url. If the whole url passed as one parameter, it should be validated using regular expressions as
^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&%\$#_]*)?$ |
References:
¾ Document: Microsoft Anti-Cross Site Scripting Library V1.5 - User Guide (after installation library)
¾ Forum of ASP.NET XSS attack: https://forums.asp.net/1107/ShowForum.aspx
¾ How To: Prevent Cross-Site Scripting in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000004.asp
¾ How To: Protect From Injection Attacks in ASP.NET, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000003.asp
¾ Design Guidelines for Secure Web Applications, https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch04.asp
¾ How To: Use Regular Expressions to Constrain Input in ASP.NET, https://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000001.asp