Use antixss to defend against xss

AntiXSS, a Class Library launched by Microsoft to prevent XSS attacks, can implement the input whitelist mechanism and output escape
At the end of the article, there is an antixx Demo project download
 
Antixss
Aspx? Id = 5242 "> http://www.microsoft.com/download/en/details.aspx? Id = 5242
 
Msi Installer. After installation, the installation directory contains the following files:
AntiXSS. chm includes parameter descriptions of the operation manual for the class library
HtmlSanitizationLibrary. dll contains the Sanitizer class (input whitelist)
AntiXSSLibrary. dll contains the Antixss and Encoder classes (output escape)
Add reference HtmlSanitizationLibrary. dll and AntiXSSLibrary. dll in the project during use
Import the namespace using Microsoft. Security. Application;
 
1. Enter a whitelist
You can call the Sanitizer. GetSafeHtmlFragment method to clean the unfiltered URL strings.
 
Url = Request. QueryString ["url"];
Url_c = Sanitizer. GetSafeHtmlFragment (url );
Response. Write (url_c );
2. Output escape
 
// HTML Content Encoding
Html_cont = Encoder. HtmlEncode (url );
// Html_cont = url;
 
// HTML attribute Encoding
Input1.Value = Encoder. HtmlAttributeEncode (url );
// Input1.Value = url;
 
// Code js
Url_c = Encoder. JavaScriptEncode (url );
// Url_c = url;
 
// URL Encoding
Img1.Src = Encoder. UrlEncode (url );
// Img1.Src = url;
 
 
XmlDocument xmlDoc;
XmlNodeList nodeList;
 
// XML property Encoding
Isbn = Encoder. XmlAttributeEncode (Request. QueryString ["isbn"]);
 
If (isbn! = Null)
{
XmlDoc = new XmlDocument ();
XmlDoc. Load (Server. MapPath ("db. xml "));
NodeList = xmlDoc. SelectSingleNode ("Employees"). ChildNodes;
Foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement) xn;
If (xe. GetAttribute ("genre") = "Zhang San ")
{
Xe. SetAttribute ("ISBN", isbn );
}
}
XmlDoc. Save (Server. MapPath ("db. xml "));
}
 
// XML Content Encoding
Price = Encoder. XmlEncode (Request. QueryString ["price"]);
Price = Request. QueryString ["price"];
If (price! = Null)
{
XmlDoc = new XmlDocument ();
XmlDoc. Load (Server. MapPath ("db. xml "));
NodeList = xmlDoc. SelectSingleNode ("Employees"). ChildNodes;
Foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement) xn;
If (xe. GetAttribute ("genre") = "Zhang San ")
{
XmlNodeList nls = xe. ChildNodes;
Foreach (XmlNode xn1 in nls)
{
XmlElement xe2 = (XmlElement) xn1;
If (xe2.Name = "price ")
{
Xe2.InnerText = price;
}
}
}
}
XmlDoc. Save (Server. MapPath ("db. xml "));
}
The presentation layer is as follows:
 
<Asp: Content ID = "BodyContent" runat = "server" ContentPlaceHolderID = "MainContent">
<Form action = "" id = "form1" method = "post">
<Table border = "1">
<Tr>
<Td width = "100"> type </td>
<Td width = "300"> POC clickme </td>
<Td width = "500"> result </td>
</Tr>
<Tr>
<Td> HTML content </td>
<Td> <a href = "? Url = % 3 Cscript % 3 Ealert (xss) % 3C/script % 3E "> & lt; script & gt; alert (xss) & lt;/script & gt; </a> </td>
<Td> <pre id = "h1" runat = "server"> <% = html_cont %> </pre> </td>
</Tr>
<Tr>
<Td> HTML attributes </td>
<Td> <a href = "? Url = % 22% 20src = % 22 javascript: alert (xss) % 22 "> & quot; src = & quot; javascript: alert (xss) & quot; </a> </td>
<Td> <input id = "input1" runat = "server"/> </td>
</Tr>
<Tr>
<Td> js </td>
<Td> <a href = "? Url = test; alert (1); "> test; alert (1); </td>
<Td>
<Script type = "text/javascript">
Var url = <% = url_c %>;
</Script>
</Td>
</Tr>
<Tr>
<Td> URL </td>
<Td> <a href = "? Url = javascript: alert (xss) "> javascript: alert (xss) </a> </td>
<Td> </td>
</Tr>
<Tr>
<Td> XML property encoding </td>
<Td> <a href = "? Isbn = 2-3631-4 "> isbn = 2-3631-4 </a> </td>
<Td> <% = isbn %> </td>
</Tr>
<Tr>
<Td> XML content encoding: www.2cto.com </td>
<Td> <a href = "? Price = 90 "> price = 90 </a> </td>
<Td> <% = price %> </td>
</Tr>
</Table>
</Form>
</Asp: Content>

This article is from: DoDos Blog