Why encode controls when visible=false

Jan 11, 2010 at 11:32 AM

I have a master page with controls on that are only made visible when the request is authenticated.   Some pages that do not require authentication (login.aspx) use this master page.  These controls use information from the authenticated user, usually when 'visible=false' CreateChildControls would not be called and the control would not be rendered.  But the AntiXSS runtime module is causing the control's control tree to be created thus causing an error when the control tries to access data from the authenticated user.   I could go and refactor my master pages/controls but I'd prefer not to.  Is there a need for the AntiXSS runtime module to encode controls where 'visible=false' as they won't be rendered anyway?

Coordinator
Jan 11, 2010 at 7:07 PM

Hi,

Yes, this was one of the issues with Anti-XSS SRE v3.1. We have fixed it in the WPL version of SRE.

Thanks

RV

From: fellrunner [mailto:notifications@codeplex.com]
Sent: Monday, January 11, 2010 3:32 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Why encode controls when visible=false [AntiXSS:80410]

From: fellrunner

I have a master page with controls on that are only made visible when the request is authenticated. Some pages that do not require authentication (login.aspx) use this master page. These controls use information from the authenticated user, usually when 'visible=false' CreateChildControls would not be called and the control would not be rendered. But the AntiXSS runtime module is causing the control's control tree to be created thus causing an error when the control tries to access data from the authenticated user. I could go and refactor my master pages/controls but I'd prefer not to. Is there a need for the AntiXSS runtime module to encode controls where 'visible=false' as they won't be rendered anyway?

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Jan 14, 2010 at 2:54 PM

Thanks for that.

I've downloaded WPL 1.0 CTP from here - http://blogs.msdn.com/securitytools/archive/2009/11/11/some-new-software-security-tools-for-web-developers-ctp-releases.aspx

However, The Security Runtime Engine stills appears to be attempting to encode controls where visible=false.  A quick trawl with .NET reflector does not reveal any visibility checks.

Stewart

 

Coordinator
Jan 14, 2010 at 11:00 PM

Sorry, I should have been more clear. I meant the beta version of WPL which will be released soon, that includes other fixes as well.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: fellrunner [mailto:notifications@codeplex.com]
Sent: Thursday, January 14, 2010 7:52 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Why encode controls when visible=false [AntiXSS:80410]

From: fellrunner

Thanks for that.

I've downloaded WPL 1.0 CTP from here - http://blogs.msdn.com/securitytools/archive/2009/11/11/some-new-software-security-tools-for-web-developers-ctp-releases.aspx

However, The Security Runtime Engine stills appears to be attempting to encode controls where visible=false. A quick trawl with .NET reflector does not reveal any visibility checks.

Stewart

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com