Configuring AntiXss

Apr 29, 2010 at 3:46 PM
Hello, I'm currently using AntiXss to sanitize client input that includes both html and css. Unfortunately, css background information (background-image, background-repeat, etc.) are all being removed. I've read a few discussions on this board that say that configuration is not currently enabled, but may be considered for future releases. Is this still the case? Are there definitive plans to allow any sort of configuration in the future? Also, is the whitelist used by anti-xss available anywhere? Thanks, Steve
Coordinator
Apr 29, 2010 at 4:25 PM

There are plans yes, but they're not in the current sprint, which is address bugs in the Encoding library, and in some of the SRE bits.

We are aware, honest, it's just I have't had a chance to try to work out how much is actually configurable in the sanitization library. It's in the feature request list, and I know it's a high priority to a lot of you, but for the next few weeks bug fixes and a new SRE engine, with a plugin model you can all use is the priority, along with further mitigations using the new plugin model.

Apr 30, 2010 at 2:39 PM
Hi, Thanks for the quick response. Is removing background information from css expected behavior? Also, has Microsoft published the whitelist that AntiXss uses? Thanks, Steve
Coordinator
Apr 30, 2010 at 3:35 PM

Well I've only been at MS for a couple of months, and have taken over heading AntiXSS/WPL. As you can see from the code the HTML Sanitization was kindly donated by the Exchange team, and I'm currently trying to get a grip on it. Is it expected behaviour? It depends how you define expected - there's no real documentation around it as you have probably already discovered, which is one of the things we will be addressing. So right now it's expected, because that's simply what it does. The CSS issue is know, as is the x_ on attributes, and lack of XHTML support. Going forward I hope to be able to offer users the ability to turn these behaviours on and off.

The whitelist hasn't been published, either for the encoding, or the sanitization, instead we've published the code. If you think a clearer statement in the documentation would be useful then I can look at that, but it does add a little extra work keeping the documentation and the actual code in sync.