5

I want to use AntiXss library function in my web application. I have a web application which contain asp.net pages with Jquery code in code behind. Whole asp.net pages run through Jquery js pages. I want to apply the encoding function to some fields, but the problem is how to apply and where to apply the encoding unction - (In jquery page where to set value to show on output window 0r on the server side code where get data API called in cs files.) And which function to use in this scenarios (HtmlEncode, JavascriptEncode, etc)

Thanks in advance

Girish Chaudhari
  • 1,607
  • 5
  • 16
  • 24

1 Answers1

6

The basic idea behind preventing XSS attacks is that all input data (from user or say external application) should be treated as untrusted/un-safe and hence must be either validated while accepting and/or encoded while reproducing in output (html, js etc).

AFAIK, AntiXss is an server side library, so you cannot use it to encode values in browser. You have to apply encoding (to html/html attribute/JS etc) at server side before sending those values to client (e.g. in aspx page or in asmx/SCF services that are sending data to client where java-script is going to treat the data as an html or script).

See this article - although its dated, it is still a good resource to start with AntiXss lib and it also lists scenarios for using various encoding methods under "Determining Encoding Method to Use"

VinayC
  • 47,395
  • 5
  • 59
  • 72
  • Should can we go with encoding the fields at the input time? When save API calls and we insert the values in database. What is the impact of this instead of doing it at output time? – Girish Chaudhari Jun 10 '11 at 07:30
  • @Girish, in typical approach, you can validate input (and reject if needed). Yes, you may choose to encode it, so then all your code base must assume that whatever value existing in the database are not *raw* but encoded. This can be cumbersome sometimes - for example, assume you are accepting mathematical expressions (say, `a > b`), now while showing it as html literal, you need to encode it but for parsing it or assigning it to a text-box for editing, you want it as is. So if your db has encoded input then you have to decode it for these scenarios. – VinayC Jun 10 '11 at 08:16
  • @vinayc I have an existing application in asp.net 4.0 I have downloaded and installed the same. Do I need to encode every request and response. Or I can set it as a default encoding for my application. – शेखर Jun 15 '12 at 12:35