Im currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from MS on the net and i was wondering if this would work with a classic application?
If not do you have any ideas how i could go about sanatizing the strings?
Any help at all would be brilliant.
Thanks
-
Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.
-
To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions
Server.HTMLEncode(string)The two most important countermeasures to prevent cross-site scripting attacks are to:
- Constrain input.
- Encode output.
via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)
John Gietzen : @Steoates: This, here, is generally a pretty decent solution.Dave DuPlantis : And if you do have to display rich text (legacy system, sigh), writing a cleanup function to use multiple regular expressions is at least a step in the right direction. -
When functions don't exist in classic ASP, write them.
-
If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:
set objRegExp = new RegExp with objRegExp .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>" .IgnoreCase = varIgnoreCase .Global = True end with cleanString = objRegExp.replace(originalString, "")
0 comments:
Post a Comment