Using AntiXSS library / module with HttpHandlers

Feb 13, 2009 at 8:10 PM
First off, congrats on the work. :)
I understand that the module looks for a "PageHander" and encodes the page.  My app uses Httphandlers entitrely; any suggestions on how best we can incorporate the AntiXSS lib/module for this scenario ?

Thanks.
Feb 16, 2009 at 6:10 PM
Hi Anandcbe14,

Thanks! The work is really that of one of the best teams I have ever had the fortune to work with.
I don't know the best answer reguarding your question, so let me do some research and get back to you.

Cheers,

Dennis Groves // degroves@microsoft.com
Feb 17, 2009 at 12:53 AM
Hi Anadcbe14,

I have an answer for you from RV, one of the developers who wrote AntiXSS- he says:


"SRE uses Page_Prerender event to handle page encoding. So, if any of your handlers are doing the same then it might interfere with SRE encoding. I would suggest test and see if SRE causes any issues. Also, if you can give a generic description of your custom handler activity, it would help me understand if SRE would cause any issues or not."

Cheers,

Dennis Groves // degroves@microsoft.com

Feb 17, 2009 at 6:10 PM
Thanks for the response Dennis.
Our app. is a webpage generation framework 
- request comes into the handler with a few query string parameters
- handler uses these parameters to determine which xml & xsl to to generate content.
- resulting html from the above transform is rendered to the client browser.
 - in case there are forms & form elements, they are processed by appropriate methods, merged (as needed) with the xml before transformation

the only method in our handler is the ProcessRequest() and it doesn't hook into any of the common events like asp.net page's PreRender etc.
the process request calls into a biz. logic factory and hands over the parameters it recd and spits out the response from the factory.

I hope this gives some understanding about the app i'm dealing with here

Thanks again,
Anand
Coordinator
Feb 23, 2009 at 4:37 PM
Anand,

In this case, there is very little the handler could do. As XML transformation resulting in XML can not be intercepted by handler, AntiXSS handler would not help you a lot. I would look into the XSLT files and try to use AntiXSS encoding in XSLT methods. I will share a blog post later with regards to enabling AntiXSS encoding in XSLT and encoding data during transformations.

Hope this helps.

Thanks
Anil RV
Feb 24, 2009 at 7:31 PM
looking forward to your blog post
Thanks Anil.
Jul 22, 2010 at 9:23 PM

I'm looking into using AntiXss with Xslts.  Any information related to this would be helpful.  Is the promised blog post available anywhere?

Coordinator
Jul 22, 2010 at 9:28 PM

Oh, right. Well Anil is off doing other exciting things so you have me now.

The AntiXSS library works with XSLTs just fine, it's the SRE and custom http handlers that are fun. If that is indeed your scenario bthubbard let me know, I've rewritten the SRE and so I can have a think about what further needs to be done.

Jul 23, 2010 at 7:50 PM

Thanks for the quick reply, sorry for not responding until now.   

It sounds like my scenario will be supported as what I think what I want I'm thinking about is fairly straight forward. What I'm concerned about is passing values via XsltArgumentList that will later be used to render html.  I've run some test and it seems that what ever I pass in is already being encoded in some way (XmlEncode?) either by the XsltArgumentList, by XslCompileTransform.Transform() or when the output is later assigned to a literal.Text and added to a Panel.  I've tried running XmlEncode and HtmlEncode on a XsltArgumentList parameter with invalid input and in both cases it resulted in double encoding. 

Coordinator
Jul 23, 2010 at 8:03 PM

I'd have to go digging around to find who owns the Xml bits to see what they're doing. So the result of your XSLT is put "raw" into a text literal asp.net control?

AntiXSS doesn't canonicalise, so I would suggest you run the appropriate framework decode method first if that's the behaviour you want.