Use antixss to defend against xss

Source: Internet
Author: User


AntiXSS, a Class Library launched by Microsoft to prevent XSS attacks, can implement the input whitelist mechanism and output escape
At the end of the article, there is an antixx Demo project download
 
Antixss
Aspx? Id = 5242 "> http://www.microsoft.com/download/en/details.aspx? Id = 5242
 
Msi Installer. After installation, the installation directory contains the following files:
AntiXSS. chm includes parameter descriptions of the operation manual for the class library
HtmlSanitizationLibrary. dll contains the Sanitizer class (input whitelist)
AntiXSSLibrary. dll contains the Antixss and Encoder classes (output escape)
Add reference HtmlSanitizationLibrary. dll and AntiXSSLibrary. dll in the project during use
Import the namespace using Microsoft. Security. Application;
 
1. Enter a whitelist
You can call the Sanitizer. GetSafeHtmlFragment method to clean the unfiltered URL strings.
 
Url = Request. QueryString ["url"];
Url_c = Sanitizer. GetSafeHtmlFragment (url );
Response. Write (url_c );
2. Output escape
 
// HTML Content Encoding
Html_cont = Encoder. HtmlEncode (url );
// Html_cont = url;
 
// HTML attribute Encoding
Input1.Value = Encoder. HtmlAttributeEncode (url );
// Input1.Value = url;
 
// Code js
Url_c = Encoder. JavaScriptEncode (url );
// Url_c = url;
 
// URL Encoding
Img1.Src = Encoder. UrlEncode (url );
// Img1.Src = url;
 
 
XmlDocument xmlDoc;
XmlNodeList nodeList;
 
// XML property Encoding
Isbn = Encoder. XmlAttributeEncode (Request. QueryString ["isbn"]);
 
If (isbn! = Null)
{
XmlDoc = new XmlDocument ();
XmlDoc. Load (Server. MapPath ("db. xml "));
NodeList = xmlDoc. SelectSingleNode ("Employees"). ChildNodes;
Foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement) xn;
If (xe. GetAttribute ("genre") = "Zhang San ")
{
Xe. SetAttribute ("ISBN", isbn );
}
}
XmlDoc. Save (Server. MapPath ("db. xml "));
}
 
// XML Content Encoding
Price = Encoder. XmlEncode (Request. QueryString ["price"]);
Price = Request. QueryString ["price"];
If (price! = Null)
{
XmlDoc = new XmlDocument ();
XmlDoc. Load (Server. MapPath ("db. xml "));
NodeList = xmlDoc. SelectSingleNode ("Employees"). ChildNodes;
Foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement) xn;
If (xe. GetAttribute ("genre") = "Zhang San ")
{
XmlNodeList nls = xe. ChildNodes;
Foreach (XmlNode xn1 in nls)
{
XmlElement xe2 = (XmlElement) xn1;
If (xe2.Name = "price ")
{
Xe2.InnerText = price;
}
}
}
}
XmlDoc. Save (Server. MapPath ("db. xml "));
}
The presentation layer is as follows:
 
<Asp: Content ID = "BodyContent" runat = "server" ContentPlaceHolderID = "MainContent">
<Form action = "" id = "form1" method = "post">
<Table border = "1">
<Tr>
<Td width = "100"> type </td>
<Td width = "300"> POC clickme </td>
<Td width = "500"> result </td>
</Tr>
<Tr>
<Td> HTML content </td>
<Td> <a href = "? Url = % 3 Cscript % 3 Ealert (xss) % 3C/script % 3E "> & lt; script & gt; alert (xss) & lt;/script & gt; </a> </td>
<Td> <pre id = "h1" runat = "server"> <% = html_cont %> </pre> </td>
</Tr>
<Tr>
<Td> HTML attributes </td>
<Td> <a href = "? Url = % 22% 20src = % 22 javascript: alert (xss) % 22 "> & quot; src = & quot; javascript: alert (xss) & quot; </a> </td>
<Td> <input id = "input1" runat = "server"/> </td>
</Tr>
<Tr>
<Td> js </td>
<Td> <a href = "? Url = test; alert (1); "> test; alert (1); </td>
<Td>
<Script type = "text/javascript">
Var url = <% = url_c %>;
</Script>
</Td>
</Tr>
<Tr>
<Td> URL </td>
<Td> <a href = "? Url = javascript: alert (xss) "> javascript: alert (xss) </a> </td>
<Td> </td>
</Tr>
<Tr>
<Td> XML property encoding </td>
<Td> <a href = "? Isbn = 2-3631-4 "> isbn = 2-3631-4 </a> </td>
<Td> <% = isbn %> </td>
</Tr>
<Tr>
<Td> XML content encoding: www.2cto.com </td>
<Td> <a href = "? Price = 90 "> price = 90 </a> </td>
<Td> <% = price %> </td>
</Tr>
</Table>
</Form>
</Asp: Content>

This article is from: DoDos Blog

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.