Can you please fixing follwing cross-site script two issues. here I'm using Anti-Xss library to fixing the cross-site scripting vulnerabilities.

Apr 27, 2011 at 12:15 PM

Can you please fixing follwing cross-site script two issues. here I'm using Anti-Xss library to fixing the cross-site scripting vulnerabilities.

 

below is this original code. when i ran cat.net tool , here it is showing cross-site scripting vulnerability.

 

Orignal code:

----------------------------------------------

 

protected void ParentingTreeViewUC_OnNodeClick(object sender, RadTreeNodeEventArgs e)

   {

         LabelVictim.Text +=";" + e.Node.Value;

   }

 

i trying to fixed it following two ways. but cat.net tool again showing same thing.

 

Modified Code:

---------------------------------------

1.LabelVictim.Text +=AntiXss.HtmlEncode(";" + e.Node.Value);

 

2. LabelVictim.Text += ";" + AntiXss.HtmlEncode(e.Node.Value);

 

-----------------------------------------------------------------------------

 

original code

---------------------------

 

infoMsgDiv.InnerHtml = "<ul>";

           string msgColor = "black";

           string panelClass = "panoerror";

           foreach (string s in msgList)

           {

               string msg = s;

               int typeLastIndex = s.IndexOf("]");

               if (s.Substring(0, typeLastIndex + 1) == "[Error]")

               {

                   msgColor = "Red";

                   panelClass = "paerror";

              }

               msg = s.Substring(typeLastIndex + 1);

 

               infoMsgDiv.InnerHtml += "<li style='color:" + msgColor + "'>" + msg + "</li>";

           }

 

           infoMsgDiv.InnerHtml += "</ul>";

           printArea.Attributes.Add("class", panelClass);

           msgPH.Visible = true;

 

MOdified Code

-----------------------

infoMsgDiv.InnerHtml += "<li style='color:" +AntiXss.HtmlAttributeEncode( msgColor) + "'>" + AntiXss.HtmlEncode(msg) + "</li>";

 

Can you please suggest the work around for these issues

Apr 29, 2011 at 4:13 AM

Does CAT.Net have the ability to recognize the AntiXSS as a valid encoding method for this?  I think that is what might be happening.  I haven't dug into the underpinnings of CAT.Net, but my guess is that it only looks for the Server.HTMLEncode vs. AntiXSS libraries.  I am not sure if there is a way to fix that.