Released: AntiXss Library 4.3.0 (Jun 02, 2014)

June 3, 2014, 2:00 pm

≫ Next: Updated Release: AntiXss Library 4.3.0 (Jun 02, 2014)

Download from nuget or theMicrosoft Download Center

This issue finally addresses the over zealous behaviour of the HTML Sanitizer which should now function as expected once again.

HTML encoding has been changed to safelist a few more characters for webforms compatibility.

This will be the last version of AntiXSS that contains a sanitizer. Any new releases will be encoding libraries only.

We recommend you explore other sanitizer options, for example

AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET
using the HTML Agility Pack to roll your own https://htmlagilitypack.codeplex.com/
switch to MarkDown and use a .NET parser such as MarkDownSharp https://code.google.com/p/markdownsharp/

↧

Updated Release: AntiXss Library 4.3.0 (Jun 02, 2014)

June 3, 2014, 2:00 pm

≫ Next: New Post: A working sanitizer again - 4.3.0

≪ Previous: Released: AntiXss Library 4.3.0 (Jun 02, 2014)

Download from nuget or the Microsoft Download Center

AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET
using the HTML Agility Pack to roll your own https://htmlagilitypack.codeplex.com/
switch to MarkDown and use a .NET parser such as MarkDownSharp https://code.google.com/p/markdownsharp/

↧

New Post: A working sanitizer again - 4.3.0

June 27, 2014, 12:29 am

≫ Next: Created Unassigned: Unicode DoubleWidth Chars are not Sanitized [21143]

≪ Previous: Updated Release: AntiXss Library 4.3.0 (Jun 02, 2014)

For what it's worth, I'm glad this has finally been fixed.

In the meanwhile, I've found that this library has been very good as an alternative (for sanitizing): https://github.com/mganss/HtmlSanitizer

↧

Created Unassigned: Unicode DoubleWidth Chars are not Sanitized [21143]

July 14, 2014, 7:39 am

≫ Next: Closed Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

≪ Previous: New Post: A working sanitizer again - 4.3.0

↧

Closed Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

July 14, 2014, 10:17 am

≫ Next: Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

≪ Previous: Created Unassigned: Unicode DoubleWidth Chars are not Sanitized [21143]

http://www.securityfocus.com/archive/1/390751
http://stackoverflow.com/questions/8326846/convert-ascii-chars-to-unicode-fullwidth-latin-letters-in-python

When i call GetSafeHTMLFragment its not getting sanitized:

Sanitizer.GetSafeHtmlFragment("〈script〉KillAllHumans();〈/script〉")

output : 〈script〉KillAllHumans();〈/script〉
Comments: The sanitizer is now retired. No issues will be addressed.

Having said that browsers don't treat the double wide less than and greater than as the standard 7bit ones, so this won't cause problems anyway as long as you stick with the standard templates and UTF8.

↧

Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

July 14, 2014, 2:46 pm

≫ Next: Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

≪ Previous: Closed Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

The browsers are my are not the problem (at first)

It's the database with ascii datatypes, which downsample from unicode to ascii.. Which thereby result in an xss attack.

You said the sanitizer is retired.. Has something replaced it?

↧

Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

July 14, 2014, 3:25 pm

≫ Next: New Post: regarding AntiXSS Libary for classic asp website

≪ Previous: Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

Well in that case I'd say use nvarchar, or encode at the point of output. An HTML sanitizer wouldn't help for SQL misinterpretation - HTML != SQL

There's no replacement. We have recommendations in the release notes, but we don't pick or choose a favourite approach.

↧

New Post: regarding AntiXSS Libary for classic asp website

September 3, 2014, 5:17 am

≫ Next: New Post: regarding AntiXSS Libary for classic asp website

≪ Previous: Commented Unassigned: 4.3.0: Unicode DoubleWidth Chars are not Sanitized [21143]

Hi All,

I want to use any 'AntiXSS Libary' for my live site that is made in classic asp.Can anybody knows is 'Microsoft's AntiXSS Libary' works for classic asp website or not.please let me know asap.I will be very thankful for any help.

Thanks.

↧

New Post: regarding AntiXSS Libary for classic asp website

September 3, 2014, 6:19 am

≫ Next: New Post: AntiXSS with a web forms project in asp.net 4.5

≪ Previous: New Post: regarding AntiXSS Libary for classic asp website

No it won't work.

↧

New Post: AntiXSS with a web forms project in asp.net 4.5

November 11, 2014, 8:13 am

≫ Next: New Post: AntiXSS with a web forms project in asp.net 4.5

≪ Previous: New Post: regarding AntiXSS Libary for classic asp website

I am trying to implement anti XSS support in a web forms app running on .net 4.5 but I am a little confused. I want to sanitise data on input and encode data on output. My understanding is that, out of the box, the default input filtering in the .net framework uses a black list, but that a white list approach is more favourable.

I’ve read that using the Microsoft AntiXSS / Web protection Library is the recommended approach, however I’m unsure as to what’s involved with implementing it. I’ve read numerous articles on the subject and some imply that by merely including an entry in your config file will replace the default filtering/encoding with the more robust AntiXSS version, meaning the enhanced filtering/encoding is then done automatically. Is this true and if so, is there an easy way to test it to prove the new library is being used?

↧

New Post: AntiXSS with a web forms project in asp.net 4.5

November 11, 2014, 9:18 am

≫ Next: New Post: XSS scripting for Search textbox

≪ Previous: New Post: AntiXSS with a web forms project in asp.net 4.5

AntiXSS doesn't really do input sanitization. It has an HTML sanitizer, but it's old and not supported any more.

It will support output encoding, which will protect you when input filtering fails, which frankly is pretty often, as everyone's idea of what's suitable input is particular to their own app. The config support is only to swap out output encoders.

↧

New Post: XSS scripting for Search textbox

November 13, 2014, 11:54 pm

≫ Next: Created Unassigned: Not able to find SRE or antixss module [21559]

≪ Previous: New Post: AntiXSS with a web forms project in asp.net 4.5

I have a textbox which is used for searching the data within the site. What my client wants that, 1)Enter any text in the search field and click the search symbol. 2)The request going to the server using a web proxy tool like "Burp" 3)Append the parameter with the script present as "test<~script>confirm(123)<~/script>" what happens here is

The XSS script entered by the advesary gets reflected in the response without any input. Please see the image below you will get an idea:-

http://www.imagesup.net/?di=414158635584

Guys, let me know if you need any more information related to it. Please help guys, Any help would be appreciated. I want to stop the attack from server side.

↧

Created Unassigned: Not able to find SRE or antixss module [21559]

November 14, 2014, 3:07 am

≫ Next: New Post: Not able to find the Security RunTime Engone or Antixss module

≪ Previous: New Post: XSS scripting for Search textbox

I wanted to use the Security RunTime Engine or the antixss module. Not able to find the dll or the code.
Can some one please help me in locating it or any similar httpmodule which can be used for anti xss attack.

I could only find the antixsslibrary.dll in the downloads.

↧

New Post: Not able to find the Security RunTime Engone or Antixss module

November 14, 2014, 3:08 am

≫ Next: New Post: Not able to find the Security RunTime Engone or Antixss module

≪ Previous: Created Unassigned: Not able to find SRE or antixss module [21559]

Wanted to use the Security RunTime Engine or the antixss module. Not able to find the dll or the code.
Can some one please help me in locating it or any similar httpmodule which can be used for anti xss attack.

I could only find the antixsslibrary.dll in the downloads.

↧

New Post: Not able to find the Security RunTime Engone or Antixss module

November 14, 2014, 9:45 am

≫ Next: Commented Issue: GetSafeHtmlFragment replacing all html tags [17246]

≪ Previous: New Post: Not able to find the Security RunTime Engone or Antixss module

It has not been supported since V3. The source is available should you wish to compile and try it for yourself, but it's not supported.

↧

Commented Issue: GetSafeHtmlFragment replacing all html tags [17246]

November 17, 2014, 2:40 pm

≫ Next: New Post: AntiXss Versus Encoder

≪ Previous: New Post: Not able to find the Security RunTime Engone or Antixss module

When we updated our AntiXss library to 4.2.1 we noticed that our GetSafeHtmlFragment was no longer working. Is it required that we now whitelist any html attributes that we need with the newest release ?

GetSafeHtmlFragment("<b>text</b>") returns only "text".

The version we were running prior to release was 4.0.0 which did not seem to require any such white listing of needed html attributes.

Thank you in advance for reviewing this issue.
Comments: ** Comment from web user: yougotiger **

Just tested with the version now offered and the same problem exists, it strips nearly all HTML out of the string. This is undesirable in the extreme, I will be rolling back to our previous version.

↧

New Post: AntiXss Versus Encoder

December 17, 2014, 2:59 pm

≫ Next: Created Unassigned: where does this install to? [21668]

≪ Previous: Commented Issue: GetSafeHtmlFragment replacing all html tags [17246]

I'm looking to protect against XSS and I have been browsing around and have found various threads on the subject. I'm wondering which is a more up to date library for protecting against XSS. I've read that Encoder uses blacklist versus AntiXss uses white list. Is this true? What are the other differences?

I'm currently using .net 4.0 I was hoping somebody can point me in the right direction.

↧

Created Unassigned: where does this install to? [21668]

January 16, 2015, 1:11 pm

≫ Next: Created Unassigned: Sanitizer.GetSafeHtmlFragment() dont work correctly with 1084 Unicode symbol [21693]

≪ Previous: New Post: AntiXss Versus Encoder

Hi. The installer and the instructions amazingly do not tell me where this will install. Is this so secure, that we are not able to find it? If I have to goto the GAC to get this, then that is an absurd assumption. Fix your installer and fix your documentation to state where this product gets installed. Seriously.

AntiXSS 4.3
windows 7 x64

↧

Created Unassigned: Sanitizer.GetSafeHtmlFragment() dont work correctly with 1084 Unicode symbol [21693]

January 28, 2015, 1:43 am

≫ Next: Commented Unassigned: Sanitizer.GetSafeHtmlFragment() doesn't work correctly with 1084 Unicode symbol [21693]

≪ Previous: Created Unassigned: where does this install to? [21668]

Sanitizer.GetSafeHtmlFragment('м') returns "м"

Seems that problem is in this class

Microsoft.Exchange.Data.TextConverters.HtmlWriter

#
bool IFallback.IsUnsafeUnicode(char ch, bool isFirstChar)
{
return this.filterHtml &&
((byte)(ch & 0xFF) == (byte)'<' ||
(byte)((ch >> 8) & 0xFF) == (byte)'<' ||

(!isFirstChar && ch == '\uFEFF') ||
Char.GetUnicodeCategory(ch) == System.Globalization.UnicodeCategory.PrivateUse);
}

#
(byte)(ch & 0xFF) == (byte)'<'

returns __TRUE__ for 1084 code

↧

Commented Unassigned: Sanitizer.GetSafeHtmlFragment() doesn't work correctly with 1084 Unicode symbol [21693]

January 28, 2015, 6:16 am

≫ Next: New Post: How to use in WebAPI 2?

≪ Previous: Created Unassigned: Sanitizer.GetSafeHtmlFragment() dont work correctly with 1084 Unicode symbol [21693]

Sanitizer.GetSafeHtmlFragment('м') returns "&# 1084;"

Seems that problem is in this class

Microsoft.Exchange.Data.TextConverters.HtmlWriter

#
bool IFallback.IsUnsafeUnicode(char ch, bool isFirstChar)
{
return this.filterHtml &&
((byte)(ch & 0xFF) == (byte)'<' ||
(byte)((ch >> 8) & 0xFF) == (byte)'<' ||

(!isFirstChar && ch == '\uFEFF') ||
Char.GetUnicodeCategory(ch) == System.Globalization.UnicodeCategory.PrivateUse);
}

#
(byte)(ch & 0xFF) == (byte)'<'

returns __TRUE__ for 1084 code
Comments: ** Comment from web user: bdorrans **

What would you consider the correct response here? The unencoded character?

Regardless, the sanitizer is no longer supported, and if it's just you'd rather it was unencoded that's not going to get addressed, as the encoded value is still correct.

↧