I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?
If not do you have any ideas how I could go about sanitizing the strings?
To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions
Server.HTMLEncode(string)
The two most important countermeasures to prevent cross-site scripting attacks are to:
via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)
When functions don't exist in classic ASP, write them.
<%
' Copyright (c) 2009, reusablecode.blogspot.com; some rights reserved.
'
' This work is licensed under the Creative Commons Attribution License. To view
' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
' 94305, USA.
' Despite the identical naming, these functions are more comprehensive than their PHP equivalents.
' They go above and beyond even mysql_real_escape_string(), by including support for backspace and horizontal tab.
' List of characters handled:
' \000 null
' \010 backspace
' \011 horizontal tab
' \012 new line
' \015 carriage return
' \032 substitute
' \042 double quote
' \047 single quote
' \134 backslash
' \140 grave accent
' Returns a string with backslashes before characters that need to be quoted in database queries
function addslashes(unsafeString)
dim regEx
set regEx = new RegExp
with regEx
.Global = true
.IgnoreCase = true
.Pattern = "([\000\010\011\012\015\032\042\047\134\140])"
end with
addslashes = regEx.replace(unsafeString, "\$1")
set regEx = nothing
end function
' Un-quote string quoted with addslashes()
function stripslashes(safeString)
dim regEx
set regEx = new RegExp
with regEx
.Global = true
.IgnoreCase = true
.Pattern = "\\([\000\010\011\012\015\032\042\047\134\140])"
end with
stripslashes = regEx.replace(safeString, "$1")
set regEx = nothing
end function
%>
<%
' Copyright (c) 2009, reusablecode.blogspot.com; some rights reserved.
'
' This work is licensed under the Creative Commons Attribution License. To view
' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
' 94305, USA.
' Convert special characters to HTML entities.
function htmlspecialchars(someString)
' Critical that ampersand is converted first, since all entities contain them.
htmlspecialchars = replace(replace(replace(replace(someString, "&", "&"), ">", ">"), "<", "<"), """", """)
end function
' Convert HTML entities to special characters.
function htmlspecialchars_decode(someString)
htmlspecialchars_decode = replace(replace(replace(replace(someString, "&", "&"), ">", ">"), "<", "<"), """, """")
end function
%>
<%
' Copyright (c) 2008, reusablecode.blogspot.com; some rights reserved.
'
' This work is licensed under the Creative Commons Attribution License. To view
' a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or
' send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California
' 94305, USA.
' Strip HTML/ASP/PHP tags from a string.
function strip_tags(unsafeString)
dim regEx
set regEx = new RegExp
with regEx
.Global = true
.IgnoreCase = true
.Pattern = "(\<(/?[^\>]+)\>)"
end with
strip_tags = regEx.Replace(unsafeString, "")
set regEx = nothing
end function
%>
If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:
set objRegExp = new RegExp
with objRegExp
.Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"
.IgnoreCase = varIgnoreCase
.Global = True
end with
cleanString = objRegExp.replace(originalString, "")
Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.
<%
Response.AddHeader "X-XSS-Protection", "1"
%>
