Build the Anti-Cross Site Scripting into ASP.NET Controls

I was just taking a look at the Microsoft Anti-Cross Site Scripting Library V1.0 that was released the other day. This is very useful.

While peering into the assembly's methods with Reflector it occurred to me that it would be great to incorporate this code directly into the next update of the ASP.NET Textbox control. You could have properties named TrapXSSHTML and TrapXSSUrl. When set to True, ASP.NET would apply the library's logic to the input.

It's great to have a library like this... it would be even greater if its security checks could be tied directly to the controls that make our web sites vulnerable.

I always remember Michael Howard's talk at an MVP Summit. He warned us to treat all input as evil. The Anti-Cross Site Scripting Library is one of those tools that helps us separate the evil from the valid.

Published 28 February 2006 10:47 PM by Ken Cox [MVP]

Comments

# Wim Hollebrandse said on 01 March, 2006 05:37 AM
Hi Ken,

I'm not sure your suggestion makes sense.

You would still want to have access to the non-encoded value of the textbox, for storage in a database etc.

As per your suggestion, only adding these properties
to the textbox would not be sufficient.

The point is that cross-site scripting only comes into play when actually output-ting the value from a textbox straight to the browser.

The textbox is unaware when its value is being used as HTML output to the browser or not.

I guess what could make sense is to have two additional .Text properties, eg. TextHtmlXssSafe and TextUrlXssSafe which can then be used by the developer to display the equivalent Xss Safe HTML or URL in the browser.

Wim

Leave a Comment

(required) 
(required) 
(optional)
(required) 

Search

Go

This Blog

Web Links

Syndication