Unable to use AntiXss with .Net 2.0

Oct 15, 2009 at 11:14 AM

Hey,

I am working on an application which is build in .Net 2.0 has 150+ pages and currently in production also.

I have to implement security against XSS in it.Currently I am doing it by using Global.asax to validate each control to contain potentail dangerous charecters and redirect user to a custom error page.But this has serious performance issue as it loops through all the controls on page.

I thought of using SRE but AntiXss 3.1 though system requirements says .Net 2.0 and higher version but I am not able to install it as it ask for .Net 3.5 and higher versions.

It is technically infeasible to write AntiXss.HtmlEncode or HttpUtility.encode on all pages and follow all code path.

PLEASE HELP.WHAT SHLD I DO.CAN I SOMEHOW USE SRE like functionality for .Net 2.0?

 

 

Coordinator
Oct 15, 2009 at 5:01 PM

Hi Shubra,

Although installer requires v3.1 Security Runtime Engine HTTP module does not require .NET 3.5. SRE Module is targeted for .NET 2.0 framework. I would suggest installing on a system which has .NET 3.5 on it and copy the http module dlls to your application bin folder and enable the module. Follow the steps to ensure that the module works properly.

Step 1: Copy the default antixssmodule.config from the Security Runtime Engine\Module folder to your web application's root folder.

Step 2: Copy the dll's from the Security Runtime Engine\Module folder to your web application's \bin folder.

Step 3: Enable the SRE module by modifying your web.config file according to these examples:

In IIS 6.0 and IIS 7.0 in Classic .NET Application Pool         
<system.web>
    <httpModules>
        <add name="AntiXssModule" type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/>
    </httpModules>
</system.web>
          
In IIS 7.0 pipeline mode
<system.webServer>
    <modules>
        <add name="AntiXssModule" type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/>
    </modules>
</system.webServer>

Let me know if you have any further questions.

Thanks
Anil

Coordinator
Oct 15, 2009 at 5:02 PM

Also, Please remove the following nodes from antixssmodule.config file.

<ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlTableCell" PropertyName="InnerHtml" EncodingContext="SafeHtml" />
    <ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlTableRow" PropertyName="InnerHtml" EncodingContext="SafeHtml" />
    <ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlTextArea" PropertyName="InnerHtml" EncodingContext="SafeHtml" />
    <ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlAnchor" PropertyName="InnerHtml" EncodingContext="SafeHtml" />
    <ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlButton" PropertyName="InnerHtml" EncodingContext="SafeHtml" />
    <ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlGenericControl" PropertyName="InnerHtml" EncodingContext="SafeHtml" />

Thanks
Anil

Oct 16, 2009 at 3:38 PM

Hey Anil,

Thanks a lot.I would try it and let you know.

HAPPY DIWALI!

Thanks

Shubhra

Oct 23, 2009 at 11:33 AM

Hey Anil,

I did as you suggested and its working fine for most of the controls except at one place where we are using placeholder.

In one particular screen we are using a placeholder which shows data by using Table,TableRow,TableCell,Label from code behind dynamically binding.

AntiXSS is suppose to encode it as in antixssmodule.config ,WebControls.Table,TableCell and Label are listed already.

But as at runtime we dont have Place holder rendering ,the page data is displayed in Table,tr,td and span and if data is <script>alert("hi")</script> its gives the alert message.

I also tried adding for placeholder in antixssmodule.config,its not working.

Kindly suggest what to do?

Thanks in advance

Coordinator
Oct 23, 2009 at 4:54 PM

Shubra,

From the looks of it, the proper control is not being configured. Can you paste some sample code here?

Thanks

Anil

From: Shubhra [mailto:notifications@codeplex.com]
Sent: Friday, October 23, 2009 3:33 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Unable to use AntiXss with .Net 2.0 [AntiXSS:72076]

From: Shubhra

Hey Anil,

I did as you suggested and its working fine for most of the controls except at one place where we are using placeholder.

In one particular screen we are using a placeholder which shows data by using Table,TableRow,TableCell,Label from code behind dynamically binding.

AntiXSS is suppose to encode it as in antixssmodule.config ,WebControls.Table,TableCell and Label are listed already.

But as at runtime we dont have Place holder rendering ,the page data is displayed in Table,tr,td and span and if data is its gives the alert message.

I also tried adding for placeholder in antixssmodule.config,its not working.

Kindly suggest what to do?

Thanks in advance

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Nov 3, 2009 at 2:06 PM

Hey,
I had commented the code for table and table cells and was working fine.
Actually I guess it was getting double encoded.
It worked Thanks!

Have you ever worked with Infragistics Controls?
Specially UltraWebGrid?

Thanks in advance!

Nov 3, 2009 at 2:14 PM

Hi Anil,

Also I need your help.

With the success of AntiXSS in 2.0.(thanks to u),now I have to implement it in .Net 1.1.

I am going to follow teh same steps as had recommended for using AntiXSS with .Net2.0..

Any other advice you would like to give me:-)

Thanks

Shubhs

 

Coordinator
Nov 3, 2009 at 6:36 PM

No, I have not worked with Infragistics controls, however we tested SRE with some other 3rd party controls and it worked fine. As long as the control and its property is properly defined in antixssmodule.config file.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: Shubhra [mailto:notifications@codeplex.com]
Sent: Tuesday, November 03, 2009 6:07 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Unable to use AntiXss with .Net 2.0 [AntiXSS:72076]

From: Shubhra

Hey,
I had commented the code for table and table cells and was working fine.
Actually I guess it was getting double encoded.
It worked Thanks!

Have you ever worked with Infragistics Controls?
Specially UltraWebGrid?

Thanks in advance!

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Coordinator
Nov 3, 2009 at 6:42 PM

With .NET 2.0, SRE uses PostMapRequestHandler which tells us when a Page is mapped to ASP.NET Page Handler. In case of .NET 1.1 there is really no equivalent event, I would try using PreRequestHandlerExecute, but I am not entirely certain that it will work.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: Shubhra [mailto:notifications@codeplex.com]
Sent: Tuesday, November 03, 2009 6:14 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Unable to use AntiXss with .Net 2.0 [AntiXSS:72076]

From: Shubhra

Hi Anil,

Also I need your help.

With the success of AntiXSS in 2.0.(thanks to u),now I have to implement it in .Net 1.1.

I am going to follow teh same steps as had recommended for using AntiXSS with .Net2.0..

Any other advice you would like to give me:-)

Thanks

Shubhs

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Aug 30, 2011 at 8:10 AM

Hi Shubhra,

Currently i am using textbox in a gridview which is inside a content place holder but i am unable to bind it, pls find my below line of code:

<asp:TextBox ID="txtOrder" runat="server" Width="30px"  MaxLength="3" Text='<%Microsoft.Security.Application.AntiXss.HtmlEncode(((System.Data.DataRowView)Container.DataItem)["DisplayOrder"].ToString()) %>'> 

Also i have followed the below steps aswell:

Step 1: Copy the default antixssmodule.config from the Security Runtime Engine\Module folder to your web application's root folder.

Step 2: Copy the dll's from the Security Runtime Engine\Module folder to your web application's \bin folder.

Please provide your feedback,

Appreciate your response at the earliest.

Regards

Varun

Coordinator
Aug 30, 2011 at 5:17 PM

If all you want is encoding you don't need to use the SRE, you simply add a reference to the encoder libraries in your project.

However v4.0 does *not* support .NET 2.0