CSS Encoding?

Aug 19, 2009 at 6:06 PM

I don't seem to see anyway of doing CSS encoding via the AntiXSS library.  See: http://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values  (not sure if they ever fixed the 'expression' problem discussed here: https://lists.owasp.org/pipermail/owasp-esapi/2009-February/000406.html).

The OWASP ESAPI for Java appears to have an encoding mechanism that makes data safe for dynamic style sheets and I would love to see similiar functionality for my .NET app.  Is this something that has been considered?


Aug 19, 2009 at 7:11 PM

In the next version of Anti-XSS library we are going to include a method for escaping CSS strings in the form of \XXXXXX for each character. This method will be using the same whitelist used by HtmlEncode.