With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax.
My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?
A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it's going to protect my app from XSS like people are saying?
HttpUtility.HtmlEncode
uses a black list (principle of exclusions) approach to encoding, which potentially leaves the door ajar for newly discover exploits in the future. The Anti-XSS library (now known as the Web Protection Library and includes code to mitigate SQL injection too) uses a whitelist approach (principle of inclusions) which closes the door a little further and should provide better security.
<%: ... %>
is just a shortcut for <%= Server.HtmlEncode(string) %>
and therefore provides the security of the encoder used in your application.
You can use any encoder you like with the new <%: ... %>
syntax and Phil Haack has a great post on hooking up the Anti-Xss library as the default encoder. Bear in mind that currently Anti-XSS library 3.1 requires medium trust to run - this is being addressed for a future release.
The new syntax should only be used to escape raw text content in HTML. EDIT: and attributes.
For attributes, Javascript, and other contexts, you should still use the Anti-XSS library,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With