Thursday, August 28, 2008

An Improvement on Output Encoding in .Net

Most people I talk within the application security community usually hear me say that the frameworks are not great in preventing common vulnerabilities like XSS. Well as I am changing jobs and I want to brush up on some C# concepts I decided to put my coding skills where my big fat mouth is. I sat down for 30 minutes and wrote a prototype and I will continue working on this throughout the week to get more familiar with the framework.

Just to prove that I am not just talking up a storm here is the initial code.

public static class SaferEncoding
{
public static void SaferText(this System.Web.UI.WebControls.Label lbl, System.String s)
{
lbl.Text = AntiXss.HtmlEncode(s);
}
}


Some might notice that I am using AntiXss for the encoding. The reason? Because I know encoding has many nuances so why not have someone else use it. Also, why didn't I override the Text property for the label? Well, there are two reasons:
  1. I wanted it easy for people to find out where they were not properly encoding. For example a security auditor could come in and do a search on ".Text" and if any appeared they would need to have a good reason to use that property.
  2. Sometimes an un-encoded value needs to be used and I understand this.
I will post the updates as they come along, along with the code and binaries. Maybe someone will find this useful.

Labels:

1 Comments:

Blogger dre said...

I found this useful. Thank you

8:35 AM  

Post a Comment

<< Home