Does SRE do JavaScriptEncode and URLEncode automatically?

Jan 14, 2009 at 6:08 PM
Edited Jan 15, 2009 at 12:48 PM


Basically, I understand, how SRE works for controls rendered by ASP.NET. 

My quesions now are:

1. I presume, if the URL is rendered as data for any control, it would be encoded by SRE.  Is it correct?

2. However, does SRE automatically URLEncode if any URLs is used in Response.Redirect.?

3. The sameway, if any Javascript is rendered in code behindfile(.cs using RegisterClientScriptBlock) or .aspx file , will SRE encode them automatically.?

Based on my understanding, i guess, the answer to #2,#3, is No.  Please confirm and provide any input on that for reasoning or any other solution for that(easy one like SRE).

Thanks
Coordinator
Mar 16, 2009 at 7:32 PM
Hi,

I will answer your questions in the same order.

1. Control encoding is not dynamically determined based on the source. At this point SRE encodes data based on the configuration in the AntiXssModule.config file. Currently you can only define one type of encoding for a control property. Next version could have a overriding attribute that can defined in the source.
2. SRE only encodes data in the controls, so Response.Redirects will not be encoded.
3. Same as above.

The good solution for 2 and 3 is to run static analysis tools to determine the source paths which could lead to security issues. CAT.NET is a static analysis tool released by our team which would flag those issues, but you would have to fix them yourself. You can download it from http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en.

Thanks
Anil RV