Is there a simple example of using AntiXSS in javascript?

Dec 11, 2009 at 11:32 PM

My JavaScript is rusty and now I need to add security to some existing pages. What would really help is maybe a 15 line example of showing how you would apply anti-xss inside a javascript block. Several places in the help files show this kind of thing:  Microsoft.Security.Application.AntiXss.javaScriptEncode = function(input);

Call me silly, but that doesn't really mean anything to me as far as how I apply the javaScriptEncode function inside a javascript block. Such as this (except this doesn't work):

<script type="javascript">

<font size="2" color="#0000ff"><font size="2" color="#0000ff">

function

</font></font><font size="2" color="#0000ff">

 

</font>

ModifyContact(modifycontactid,clicked)

{

var clickedrow = clicked.parentElement.parentElement;

clickedrow.cells[0].innerHTML='<input onkeydown="HandleKeysModify();" type="text" id="txtNameToModify" value="'+Microsoft.Security.Application.AntiXss.JavaScriptEncode(clickedrow.cells[0].innerText)+'" />';

}

</script>

Sorry if this isn't the clearest example, but the question is how do I apply AntiXss to an element such as clickedrow.cells[0].innerText inside a javascript block. It looks like the library was designed to handle this, it's just the details that elude me. Thanks in advance for any help.

Coordinator
Dec 11, 2009 at 11:40 PM

Hi,

Anti-XSS is a managed library meaning, you have to encode on the server side or in asp.net script block. In your sample you are trying to encode on the client which is not supported. Here is an example of how to use JavaScripEncode method.

        protected void Page_Load(object sender, EventArgs e)

        {

            //Creating welcome script using string builder object.

            StringBuilder sbScript = new StringBuilder();

            sbScript.Append("function welcomeUserMessage() {");

            //AntiXss.JavaScriptEncode returns encoded value which is safe for JavaScript context.

            //As the username is coming from Cookies which is an untrusted source it is being encoded.

           sbScript.AppendLine("alert('Welcome '+" + AntiXss.JavaScriptEncode(Request.Cookies["UserSettings"]["Username"]) + "+' to the feedback management site');");

            sbScript.AppendLine("}");

            //Registering the script.

            this.ClientScript.RegisterClientScriptBlock(this.GetType(), "welcomeUserMessage()", sbScript.ToString(), true);

        }

You can also use AntiXss.JavaScriptEncode using <%=%> blocks as well.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: paulxray [mailto:notifications@codeplex.com]
Sent: Friday, December 11, 2009 3:32 PM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Is there a simple example of using AntiXSS in javascript? [AntiXSS:77904]

From: paulxray

My JavaScript is rusty and now I need to add security to some existing pages. What would really help is maybe a 15 line example of showing how you would apply anti-xss inside a javascript block. Several places in the help files show this kind of thing: Microsoft.Security.Application.AntiXss.javaScriptEncode = function(input);

Call me silly, but that doesn't really mean anything to me as far as how I apply the javaScriptEncode function inside a javascript block. Such as this (except this doesn't work):

Sorry if this isn't the clearest example, but the question is how do I apply AntiXss to an element such as clickedrow.cells[0].innerText inside a javascript block. It looks like the library was designed to handle this, it's just the details that elude me. Thanks in advance for any help.

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Coordinator
Dec 11, 2009 at 11:42 PM

BTW, this MSDN article also is very helpful, although it is old, most of the content is still relevant.

http://msdn.microsoft.com/en-us/library/aa973813.aspx

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: anilkr [mailto:notifications@codeplex.com]
Sent: Friday, December 11, 2009 3:41 PM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Is there a simple example of using AntiXSS in javascript? [AntiXSS:77904]

From: anilkr

Hi,

Anti-XSS is a managed library meaning, you have to encode on the server side or in asp.net script block. In your sample you are trying to encode on the client which is not supported. Here is an example of how to use JavaScripEncode method.

protected void Page_Load(object sender, EventArgs e)

{

//Creating welcome script using string builder object.

StringBuilder sbScript = new StringBuilder();

sbScript.Append("function welcomeUserMessage() {");

//AntiXss.JavaScriptEncode returns encoded value which is safe for JavaScript context.

//As the username is coming from Cookies which is an untrusted source it is being encoded.

sbScript.AppendLine("alert('Welcome '+" + AntiXss.JavaScriptEncode(Request.Cookies["UserSettings"]["Username"]) + "+' to the feedback management site');");

sbScript.AppendLine("}");

//Registering the script.

this.ClientScript.RegisterClientScriptBlock(this.GetType(), "welcomeUserMessage()", sbScript.ToString(), true);

}

You can also use AntiXss.JavaScriptEncode using <%=%> blocks as well.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: paulxray [mailto:notifications@codeplex.com]
Sent: Friday, December 11, 2009 3:32 PM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Is there a simple example of using AntiXSS in javascript? [AntiXSS:77904]

From: paulxray

My JavaScript is rusty and now I need to add security to some existing pages. What would really help is maybe a 15 line example of showing how you would apply anti-xss inside a javascript block. Several places in the help files show this kind of thing: Microsoft.Security.Application.AntiXss.javaScriptEncode = function(input);

Call me silly, but that doesn't really mean anything to me as far as how I apply the javaScriptEncode function inside a javascript block. Such as this (except this doesn't work):

Sorry if this isn't the clearest example, but the question is how do I apply AntiXss to an element such as clickedrow.cells[0].innerText inside a javascript block. It looks like the library was designed to handle this, it's just the details that elude me. Thanks in advance for any help.

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Dec 11, 2009 at 11:59 PM

What you are saying is kind of what i was afraid of, that i would have to spend hours and hours converting the javascript to be written out as a string from the server side.  Let me ask this a different way. In the help file for the antixss library under "AntiXss.JavaScriptEncode Method (String)" it gives this example under the heading "Javascript":

Microsoft.Security.Application.AntiXss.javaScriptEncode = function(input);

I assume they wouldn't put this in the help file if it didn't mean something, my question is, using this example, how do I actually encode a variable in a javascript block?

Thanks for your explanations so far, I just don't understand what this example of code is for (supposedly in javascript) if this only works server side?

Dec 15, 2009 at 5:57 PM

Hmm, maybe the example is for "Server-side javascript" and they just didn't bother to differentiate it from the more standard "client side javascript" that everyone (especially myself) would assume.  So unless somebody comes along with a rescuing clue, I am going to have to rewrite\reformat substantial code to make these javascript variables anti-xss compiant.

Dec 16, 2009 at 10:40 AM
paulxray wrote:

Hmm, maybe the example is for "Server-side javascript" and they just didn't bother to differentiate it from the more standard "client side javascript" that everyone (especially myself) would assume.  So unless somebody comes along with a rescuing clue, I am going to have to rewrite\reformat substantial code to make these javascript variables anti-xss compiant.

Yup that's pretty much it. It's possible to write ASP.NET pages with no code behind components in JScript. The documentation software used to produce the docs will automatically write the code samples in all the languages it can. So I'm afraid it's not a client side function, even if it is a javascript sample. Which makes sense, it's a server side library.