0

I am trying to implement antiXSS as in the example http://www.c-sharpcorner.com/UploadFile/abhikumarvatsa/avoiding-cross-site-scripting-xss-attacks-with-antixss-in/ Can anybody figure out what am i missing here. It didn't happened as expected.

This is what i am still getting. enter image description here

What i have done so far is, I have added antiXSS library. I can confirm it from the reference so added antiXsslibrary and HtmlSanitazationLibrary. In web config I have added this as well httpruntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" (not allowing to copy paste the exact code)

In the controller class i have updated the following. 

[HttpPost]
    [ValidateAntiForgeryToken]
    [ValidateInput(false)]
    public ActionResult Create([Bind(Include = "CourseID,Title,Credits,DepartmentID,Link")]Course course)
    {
        try
        {
            if (ModelState.IsValid)
            {
                course.Link = Sanitizer.GetSafeHtmlFragment(course.Link);
                db.Courses.Add(course);
                db.SaveChanges();
                return RedirectToAction("Index");
            }
        }
        catch (DbEntityValidationException ex /* dex */)
        {
            string er="";
            //Log the error (uncomment dex variable name and add a line here to write a log.)
            foreach (var entityValidationErrors in ex.EntityValidationErrors)
            {
                foreach (var validationError in entityValidationErrors.ValidationErrors)
                {
                    er+="Property: " + validationError.PropertyName + " Error: " + validationError.ErrorMessage;
                }
            }
            ModelState.AddModelError("", er);
        }
        PopulateDepartmentsDropDownList(course.DepartmentID);
        return View(course);
    }

Sanitizer.GetSafeHtmlFragment is not shaking off the html code. What on earth am i missing.

user3835887
  • 33
  • 5
  • `Sanitizer.GetSafeHtmlFragment` does not get rid of all html. The question is, what are you expecting to be the Link input? What does the View look like? – SBurris Oct 28 '16 at 12:25
  • Yes i heard not all. But i see here is it doesn't get rid at all. It's just a sample application studying what antixss can do. View could even be allowing to render HTML. I know there are other ways of doing this. But to my surprise anti xss seems doing nothing other then removing script.
    should be removed. Otherwise as i have shown in the example above if the view was allowing HTML to render then its the simplest vulnerability that AntiXSS can't handle it.     – user3835887 Oct 28 '16 at 19:31

0 Answers0