1

I was reading some questions trying to find a good solution to preventing XSS in user provided URLs(which get turned into a link). I've found one for PHP but I can't seem to find anything for .Net.

To be clear, all I want is a library which will make user-provided text safe(including unicode gotchas?) and make user-provided URLs safe(used in a or img tags)

I noticed that StackOverflow has very good XSS protection, but sadly that part of their Markdown implementation seems to be missing from MarkdownSharp. (and I use MarkdownSharp for a lot of my content)

Community
  • 1
  • 1
Earlz
  • 62,085
  • 98
  • 303
  • 499

4 Answers4

6

Microsoft has the Anti-Cross Site Scripting Library; you could start by taking a look at it and determining if it fits your needs. They also have some guidance on how to avoid XSS attacks that you could follow if you determine the tool they offer is not really what you need.

Esteban Araya
  • 29,284
  • 24
  • 107
  • 141
  • Wow, that's actually included in my tag list. I didn't know it was an actual library. This seems to meet my needs though, and then some (like JavascriptEncode) – Earlz Apr 21 '11 at 04:40
  • Wow that MSDN article is very out of date - the AntiXSS library download, and source can by found at http://wpl.codeplex.com. – blowdart Apr 22 '11 at 14:34
  • 1
    For those who come across this page, parts of the AntiXSS library are now going to be bundled in the upcomming ASP.net 4.5 release http://www.asp.net/vnext/whats-new#_Toc303354468 – Alex KeySmith Oct 26 '11 at 11:36
  • I realise this is an old answer, but the Microsoft library is (April 2015) broken - http://www.anotherchris.net/asp-net/anti-xss-net-libraries-a-hole-in-the-framework/ has the details, the feedback page: http://wpl.codeplex.com/releases/view/80289#ReviewsAnchor – Chris S Apr 27 '15 at 09:52
  • @ChrisS you may want to try [HtmlSanitizer](http://stackoverflow.com/a/43677257/1248177) – aloisdg Apr 28 '17 at 09:52
2

There's a few things to consider here. Firstly, you've got ASP.NET Request Validation which will catch many of the common XSS patterns. Don't rely exclusively on this, but it's a nice little value add.

Next up you want to validate the input against a white-list and in this case, your white-list is all about conforming to the expected structure of a URL. Try using Uri.IsWellFormedUriString for compliance against RFC 2396 and RFC 273:

var sourceUri = UriTextBox.Text;
if (!Uri.IsWellFormedUriString(sourceUri, UriKind.Absolute))
{
  // Not a valid URI - bail out here
}

AntiXSS has Encoder.UrlEncode which is great for encoding string to be appended to a URL, i.e. in a query string. Problem is that you want to take the original string and not escape characters such as the forward slashes otherwise http://troyhunt.com ends up as http%3a%2f%2ftroyhunt.com and you've got a problem.

As the context you're encoding for is an HTML attribute (it's the "href" attribute you're setting), you want to use Encoder.HtmlAttributeEncode:

MyHyperlink.NavigateUrl = Encoder.HtmlAttributeEncode(sourceUri);

What this means is that a string like http://troyhunt.com/<script> will get escaped to http://troyhunt.com/&lt;script> - but of course Request Validation would catch that one first anyway.

Also take a look at the OWASP Top 10 Unvalidated Redirects and Forwards.

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
  • AntiXSS will have EncodeUrlPath in beta at the weekend :) But yes, UrlEncode doesn't do what it's named as unfortunately. Nothing I can do about that - it does what the framework function does :) – blowdart Apr 22 '11 at 14:33
0

I rely on HtmlSanitizer. It is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.

Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.

Usage:

var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: test"">Test<img src=""test.gif"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
Assert.That(sanitized, Is.EqualTo(@"<div style=""background-color: test"">"
    + @"Test<img style=""margin: 10px"" src=""http://www.example.com/test.gif""></div>"));

There's an online demo, plus there's also a .NET Fiddle you can play with.

(copy/paste from their readme)

aloisdg
  • 22,270
  • 6
  • 85
  • 105
0

i think you can do it yourself by creating an array of the charecters and another array with the code,
if you found characters from the array replace it with the code, this will help you ! [but definitely not 100%]

character array
<
>
...

Code Array
& lt;
& gt;
...

Sourav
  • 17,065
  • 35
  • 101
  • 159
  • Well, I know I could make it myself, but I'd rather use someone else's because I'm not all that knowledgeable on XSS and I don't want to risk having a vulnerability in what I make – Earlz Apr 21 '11 at 04:31