Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion
search
Home Agent Weblogs Social Network Post Help About


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Extension Methods for AntiXss. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Extension Methods for AntiXss
by Worthersee at 3:55 pm EST, Dec 13, 2007

Dominick Baier came up with a good idea to extend the HtmlEncode() and UrlEncode() methods to implement Microsoft's AntiXss version of these same methods.

When I think of Extensions in C# 3.0 I also think of prototype in Javascript.

Part of the research I've been doing on static analysis has included identifying sources of potential tainted data in ASP.NET and the source-sink connectivity. During analysis if a source passes through a sanitizer we don't flag a vulnerability. Even if that sanitizer is a worthless piece of shit. (Yes, I'm talking to you...people who like to use .* in your Regex validators) We already provide pre-built validators in the product I work on, but what if we could also reduce the number of unsafe ways data is used in a program. Which brings us back to Dominick's use of Extensions. Imagine if the user could use a "Secure" Label control or a "Secure" Databound Literal control that would automatically filter a XSS attack when the Text property is accessed. Of course you could achieve that type of functionality without Extensions but I thought it was an interesting use of the new language feature.

Link - Reply

  
 
Powered By Industrial Memetics