Couple of bugs or hard integration process?

Oct 17, 2009 at 11:26 AM

Hi, we have already created ASP.NET 3.5 website project and there are lot of pages and business logic. We are looking for solution how to protect our website from the XSS attacks now, especially on the pages with HTML-editor with ValidateRequest=false. We have found your AntiXss library v.3.1 and it is really good idea, because to replace each Label, Literal, TextBox etc with some custom created safe controls now or encode/decode data on the each web page or web control is not a simple process. Especially that this process does not guaranty that some developer will not make an mistake and will use only safe controls and encode/decode values in the each required row of code. So, we have tried to integrate your library, but it looks like not a simple process too. Here are my questions/comments:

1) We have some logic on different pages on the overridden "OnPreRender" method, after your module's integration - this code doesn't work ("base.OnPreRender(e);" throws a null reference exception, if we remove or put this line of code in the try/catch block - other controls like ASP.NET AJAX Toolkit Extenders don't work). Why? Is you library require do not use overridden "OnPreRender" methods?

2) Usually, we bind different data in the controls like ASP.NET Repeater using something like Eval("Name") code in the ItemTemplate block. Your library doesn't protect (clean) it, if "Name" contains some java script code for example - it will be rendered and executed on the page. We don't want to put Label/Literal controls instead each Eval code and bind data in the code behind - it is not useful and requires more lines of redundant code. Do you plan to make some changes in the library for this type of binding or maybe do you have some recommendations?

3) We have HTML editors on some pages and we have tried to use GetSafeHtmlFragment() method to clean an user's input, but result of this method is not expected:

- if some HTML element contains "class" attribute then class name will be renamed with "x_" prefix, so a result is damaged and not displayed correctly. Why? Is it possible to disable this feature without changes in the source code of library?

- small russian's symbol "м" is replaced with "м" code. I don't think that this symbol is unsafe. Is it a bug/mistake in the allowed white list?

- if css style attribute contains something like style="background-color:red;[some unsafe code]" then all content of style element is removed (the result is style=""), including background-color property. Why? Is it expected result?

I will appreciate for your answers.


Oct 23, 2009 at 4:22 PM

Hi Maryan,

I see you have multiple issues here, will try to answer as much as I can.

1. SRE is a HTTP module which adds event handler of Page.PreRender event, which is causing this issue. We have seen this issue earlier and we are looking to making some changes in the future versions. At this point, I would suggest avoiding overriding OnPreRender instead use PreRender event handler.
2. Eval expressions are ASP.NET compile time data binding expressions. Thus they are unavailable to SRE execution, although we would like to cover this scenario, it is very difficult for us to protect them. Also Eval itself is not very good to use as it use reflection to do late binding.
3. GetSafeHtmlFragment may not change anytime soon.