AntiXss library not working well

Question

I am using AntiXssLibrary 4.0 but it not escaping \x3c. What is my mistake?

I have configure the AntiXss to be a default HttpEncoder based on here http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx and set the encoderType of httpRuntime in web.config.

I also create AntiXSSEncoder derived from HttpEncoder but instead of deprecated

output.Write(AntiXss.HtmlEncode(value));

I use this to override the HtmlEncode method:

output.Write(Encoder.HtmlEncode(value));

Currently if I browse this:

http://localhost:28453/?k=sss\x3cscript\x3ealert%28\x27haaha\x27%29;\x3c/script\x3e

The alert "haaha" shows the AntiXss library is not working. I just want to make like this show http://channel9.msdn.com/Events/MIX/MIX10/FT05 see on the minute 13.

To be confirm I also set this in an action:

    public ActionResult Index(string k)
    {
        ViewBag.k = k;
        ViewBag.j = Microsoft.Security.Application.Encoder.HtmlEncode(k);
        return View();
    }

Then in the view I put this:

<script type="text/javascript">
    $(document).ready(function () {
        var a = '@ViewBag.k';
        var b = '@ViewBag.j';
    $('.resultName:first').html(b);
});
</script>

From the browser, the value a and b is the same which is shows the AntiXss does not working well!

<script type="text/javascript">
    $(document).ready(function () {
        var a = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        var b = 'sss\x3cscript\x3ealert(\x27haaha\x27);\x3c/script\x3e';
        $('.resultName:first').html(b);
    });
</script>

Update: It only happened when I use the AntiXssEncoder as encoder type. When I comment this and rebuild. the single quote ' escaped by the MVC. Seems the AntiXss disabled! am I missing something? I want this working because I want like \x3c also escaped like the video.

<!--<httpRuntime encoderType="AntiXSSEncoder, MVCWeb"/>-->

score 7 · Accepted Answer · answered Apr 01 '11 at 04:52

7

You're right in that, since 4.0 .NET has encoded apostrophes in HTMLEncode, and AntiXSS does not, because, strictly speaking it's not necessary for HTML strings, only for attribute strings.

Now once you swap AntiXSS in as the encoder that assumption no longer applies, and people do, willy-nilly, apply Html encoding everywhere.

So when I push the next version of AntiXSS it will encode apostrophes all the time.

answered Apr 01 '11 at 04:52

blowdart

55,577
12
114
149

Great. it still need to encode since url like /?k=sss';... can add javascript if the value of k used by javascript string. Then what to do now? use existing .net 4 encoding? but how about \x3c etc. I want to escape also. based on the video, the previous version of AntiXss already encoded but now does not. I can inject a script tag like /?k=sss\x3cscript\x3e if the value inserted into DOM. – CallMeLaNN Apr 01 '11 at 07:12
1

My advice right now is to be more specific in your encoding - use Attribute encoding when it ends up in an attribute, javascript encoding when it ends up in javascript etc. – blowdart Apr 01 '11 at 11:23
Ok. I got your point, I should explicitly use `Encoder.JavascriptEncode()` where there is server value transfered into javascript variable. Same just like Html attribute. However I am thinking it can be double encoded since `@` Razor and `<%: %>` will automatically html encode it. using @Html.Raw(Encoder.JavascriptEncode(ViewBag.k)) is not a good practice. Maybe the way AntiXss can be used a little bit confused. What is the good practice to work around this double encoded? – CallMeLaNN Apr 02 '11 at 06:35
You shouldn't be using @ or <%: for javascript encoding though, neither MVC or Razor is situation aware, so it will always HTML Encode. That's where you need to get manual. – blowdart Apr 03 '11 at 14:56
Using `Encoder.JavascriptEncode()` **is working** just like in the HaaHa video. apostrophes and \x3c etc also encoded well. So I need to explicitly js encode it. In my javascript above it can be replaced like this: `var a = '@Encoder.JavascriptEncode(ViewBag.k)';`. Ok, the @ or <%: %> just using Html Encode. What I am thinking is either Razor or `<%:Encoder.JavascriptEncode(ViewBag.k)%>` is just the same like `<%=Html.Encode(Encoder.JavascriptEncode(ViewBag.k))%>' which seems can be double encoded. but its working now. – CallMeLaNN Apr 04 '11 at 02:18
Ah now, that's an interesting case. if you are using javascript to append or edit a DOM object you should HTML Encode first, then javascript encode. Yes, it'll be double encoded, but the javascript will decode it to the HTML encoded bit and then put it into your page. – blowdart Apr 04 '11 at 14:03

AntiXss library not working well

1 Answers1