An Improvement on Output Encoding in .Net
Most people I talk within the application security community usually hear me say that the frameworks are not great in preventing common vulnerabilities like XSS. Well as I am changing jobs and I want to brush up on some C# concepts I decided to put my coding skills where my big fat mouth is. I sat down for 30 minutes and wrote a prototype and I will continue working on this throughout the week to get more familiar with the framework.
Just to prove that I am not just talking up a storm here is the initial code.
Some might notice that I am using AntiXss for the encoding. The reason? Because I know encoding has many nuances so why not have someone else use it. Also, why didn't I override the Text property for the label? Well, there are two reasons:
Just to prove that I am not just talking up a storm here is the initial code.
public static class SaferEncoding
{
public static void SaferText(this System.Web.UI.WebControls.Label lbl, System.String s)
{
lbl.Text = AntiXss.HtmlEncode(s);
}
}
Some might notice that I am using AntiXss for the encoding. The reason? Because I know encoding has many nuances so why not have someone else use it. Also, why didn't I override the Text property for the label? Well, there are two reasons:
- I wanted it easy for people to find out where they were not properly encoding. For example a security auditor could come in and do a search on ".Text" and if any appeared they would need to have a good reason to use that property.
- Sometimes an un-encoded value needs to be used and I understand this.
Labels: security
posted by Mike at 10:20 PM
1 comments
