Create an Account
username: password:
 
  MemeStreams Logo

Extension Methods for AntiXss
search
Home Agent Weblogs Social Network Post Help About

Worthersee
Picture of Worthersee
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Worthersee's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Extension Methods for AntiXss
Topic: Technology 3:55 pm EST, Dec 13, 2007

Dominick Baier came up with a good idea to extend the HtmlEncode() and UrlEncode() methods to implement Microsoft's AntiXss version of these same methods.

When I think of Extensions in C# 3.0 I also think of prototype in Javascript.

Part of the research I've been doing on static analysis has included identifying sources of potential tainted data in ASP.NET and the source-sink connectivity. During analysis if a source passes through a sanitizer we don't flag a vulnerability. Even if that sanitizer is a worthless piece of shit. (Yes, I'm talking to you...people who like to use .* in your Regex validators) We already provide pre-built validators in the product I work on, but what if we could also reduce the number of unsafe ways data is used in a program. Which brings us back to Dominick's use of Extensions. Imagine if the user could use a "Secure" Label control or a "Secure" Databound Literal control that would automatically filter a XSS attack when the Text property is accessed. Of course you could achieve that type of functionality without Extensions but I thought it was an interesting use of the new language feature.

Extension Methods for AntiXss

Thread [1]


  
 
Powered By Industrial Memetics		RSS2.0