Hi, we have already created ASP.NET 3.5 website project and there are lot of pages and business logic. We are looking for solution how to protect our website from the XSS attacks now, especially on the pages with HTML-editor with ValidateRequest=false. We
have found your AntiXss library v.3.1 and it is really good idea, because to replace each Label, Literal, TextBox etc with some custom created safe controls now or encode/decode data on the each web page or web control is not a simple process. Especially that
this process does not guaranty that some developer will not make an mistake and will use only safe controls and encode/decode values in the each required row of code. So, we have tried to integrate your library, but it looks like not a simple process too.
Here are my questions/comments:
1) We have some logic on different pages on the overridden "OnPreRender" method, after your module's integration - this code doesn't work ("base.OnPreRender(e);" throws a null reference exception, if we remove or put this line of code
in the try/catch block - other controls like ASP.NET AJAX Toolkit Extenders don't work). Why? Is you library require do not use overridden "OnPreRender" methods?
2) Usually, we bind different data in the controls like ASP.NET Repeater using something like Eval("Name") code in the ItemTemplate block. Your library doesn't protect (clean) it, if "Name" contains some java script code for example -
it will be rendered and executed on the page. We don't want to put Label/Literal controls instead each Eval code and bind data in the code behind - it is not useful and requires more lines of redundant code. Do you plan to make some changes in the library
for this type of binding or maybe do you have some recommendations?
3) We have HTML editors on some pages and we have tried to use GetSafeHtmlFragment() method to clean an user's input, but result of this method is not expected:
- if some HTML element contains "class" attribute then class name will be renamed with "x_" prefix, so a result is damaged and not displayed correctly. Why? Is it possible to disable this feature without changes in the source code of
- small russian's symbol "м" is replaced with "м" code. I don't think that this symbol is unsafe. Is it a bug/mistake in the allowed white list?
- if css style attribute contains something like style="background-color:red;[some unsafe code]" then all content of style element is removed (the result is style=""), including background-color property. Why? Is it expected result?
I will appreciate for your answers.