Welcome to MSDN Blogs Sign in | Join | Help

Anti-Cross Site Scripting Library V1.5: Come Get It!

Update: The FAQ is now up as of today to help answer any initial questions you might have.  Check it out on the main landing page for the librarry at http://msdn2.microsoft.com/en-us/security/aa973814.aspx. 

Update: We'll be posting a Web-facing FAQ shortly (there's already one inside the library documentation) to help answer questions you might have regarding using this library.  Stay tuned!

After what seemed like forever, I am pleased to announced that the ACE and the ASP.NET team have released the Microsoft Anti-Cross Site Scripting Library V1.5.  This library is essentially the same library we use internally (if you've ever heard the name IOSec you'll know what I am talking about) with a few enhancements.  You can find the official release announcement for V1.5 at the ACE Team Blog.  There are way too many people to thank individually so I would just like like to say thank you to the internal and external folks who provided valuable feedback (some nicer than others =P) and support.

We're not done yet!  The next version aims to pack even more functionality and new automation to help you prevent those XSS nasties in a big way and -- as always --along with a few surprises.  Until then, enjoy this version.

Thanks,

--

Kevin Lam, CISSP

Senior Security Technologist

Microsoft Application Consulting & Engineering (ACE) Team

 

Published Saturday, November 18, 2006 9:11 AM by kevinlam

Comments

# re: Anti-Cross Site Scripting Library V1.5: Come Get It!

Hello Kevin,

I read your article about this and learned some troubling things I didn't know, like SRC being dangerous.

I have read elsewhere that even CSS is dangerous! This really bothers me.

We need to be able to allow our users to specify HTML content, but we definitely want to purify it. We've found numerous possible solutions coded in PHP or Perl, but no utility for C# thus far.

We have searched in vain for finding a robust solution to this. But, the algorithm I have come up with is like this. Does this sound accurate to you?

·   Define a White List of allowed HTML tags

·   Define a Black List of explicitly denied HTML tags whose contents should also be removed, like SCRIPT and OBJECT (as browsers introduce new tags, however, this will have to be updated)

·   Define a Black List of attributes that _must_ be removed from tags, such as any attribute starting with “on”, like onmouseover, onclick, etc. Also, “data*”

·   Define a list of White List protocol handlers, like "http", "https", “ftp”, “mailto”, etc.

·   Define a scan list of attributes that can contain executable protocol handlers, like "action", "background", "codebase", "dynsrc", "href", "lowsrc", "src"

·   Load incoming HTML input into an html parser

·   Pass over input and copy only the tags from the White List, but also:

o  Explicitly remove the Black Listed tags and their children content

o  Remove Black Listed attributes

o  Remove attributes of scan list that start with protocol handlers not specified in the white list of protocol handlers

§   This would remove attributes that start with “javascript:” or “about:”. There is

o  Remove dangerous CSS rules, like behavior:, expression:, or javascript: or “java     script”, etc

Note that in this approach, code like “<marquee>testing<b>bold</b></marquee>” would be filtered to be “testing<b>bold</b>”. But, all “<script>” and “<object>” tags would be completely removed as would their child content.

Thanks!

Josh

Friday, January 26, 2007 12:54 PM by JoshuaGough
Anonymous comments are disabled
 
Page view tracker