What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?

by

I don’t have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just “nice”. It’s important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site is not showing sensitive data, a hacker could infect your site by injecting javascript and use it to get sensitive data from another site. So doing it right is critical.

OWASP guidelines specify using a white list approach. PCI Compliance guidelines also specify this in coding standards (since they refer tot he OWASP guidelines).

Also, the newer version of the AntiXss library has a nice new function: .GetSafeHtmlFragment() which is nice for those cases where you want to store HTML in the database and have it displayed to the user as HTML.

Also, as for the “bug”, if you’re coding properly and following all the security guidelines, you’re using parameterized stored procedures, so the single quotes will be handled correctly, If you’re not coding properly, no off the shelf library is going to protect you fully. The AntiXss library is meant to be a tool to be used, not a substitute for knowledge. Relying on the library to do it right for you would be expecting a really good paintbrush to turn out good paintings without a good artist.

Edit – Added

As asked in the question, an example of where the anti xss will protect you and HttpUtility will not:

HttpUtility.HtmlEncode and Server. HtmlEncode do not prevent Cross Site Scripting

That’s according to the author, though. I haven’t tested it personally.

It sounds like you’re up on your security guidelines, so this may not be something I need to tell you, but just in case a less experienced developer is out there reading this, the reason I say that the white-list approach is critical is this.

Right now, today, HttpUtility.HtmlEncode may successfully block every attack out there, simply by removing/encoding < and > , plus a few other “known potentially unsafe” characters, but someone is always trying to think of new ways of breaking in. Allowing only known-safe (white list) content is a lot easier than trying to think of every possible unsafe bit of input an attacker could possibly throw at you (black-list approach).

More Related Contents:

  1. A potentially dangerous Request.Form value was detected from the client
  2. How to encode the plus (+) symbol in a URL
  3. How do you avoid XSS vulnerabilities in ASP.Net (MVC)?
  5. How does Html.Raw MVC helper work?
  6. What is the best way to read/parse the XML files [closed]
  7. SignalR – Sending a message to a specific user using (IUserIdProvider) *NEW 2.0.0*
  8. CodeFile vs CodeBehind
  9. How to update a PDF without creating a new PDF?
  10. IIS 500.19 with 0x80070005 The requested page cannot be accessed because the related configuration data for the page is invalid error
  11. ASP.NET Identity DbContext confusion
  12. ASP.NET web.config: configSource vs. file attributes
  13. How serious is this new ASP.NET security vulnerability and how can I workaround it?
  14. How do I protect static files with ASP.NET form authentication on IIS 7.5?
  15. asp.net validation to make sure textbox has integer values
  16. ASP.Net Download file to client browser
  17. How do you get the UserID of a User object in ASP.Net MVC?
  18. How to use the tag in ASP.NET?
  19. Databinding methods such as Eval(), XPath(), and Bind() can only be used in the context of a databound control
  20. How do modern implementations of Comet/Reverse AJAX work? Any stable C# WCF or ASP.NET implementations?
  21. Get DisplayName Attribute without using LabelFor Helper in asp.net MVC
  22. Can I get the browser time zone in ASP.NET or do I have to rely on JS operations to retrieve the information?
  23. How to return a view for HttpNotFound() in ASP.Net MVC 3?
  24. ViewModel’s list is null in action
  25. SignalR and Browser Connection limit
  26. ASP.NET Why are sessions timing out, sessionstate timeout set
  27. How to decide which is right, WebForms or MVC when doing ASP.NET
  28. Does any change in any file inside bin folder cause application recycle in ASP.NET web application?
  29. Editing resource files without recompiling ASP.NET application
  30. Decompile Precompiled Source Code ASP.NET

Leave a Comment