Preventing XSS with Correct Output Encoding

 

Encoding output to prevent cross site scripting (XSS) is old news to most in the web security community, but it’s still an area that is done incorrectly, or with out thought to future issues that might arise.  Additionally, with the explosion of AJAX based applications there is a lack of encoding tools that target JavaScript or provide an implementation for JavaScript.

 

Standard framework utilities for encoding output (Server.HtmlEncode, etc) only encode the most basic set of characters needed, &, <, >, and “.  In a perfect world this would be enough, but in the day and age of browser bugs, broken Unicode libraries, and lenient HTML interpretation that can lead to occasional sloppy coding more is needed to protect our applications.  Enter the Reform encoding library.

Of specific mention is correct context aware output encoding.  The context could be “html body”, “html attribute”, “css”, “javascript”, etc.  It’s important to understand how your data will get treated to know how it needs to be encoded.  It’s because of context issues that one must encode on output of data instead of input.  Unfortunately there are no shortcuts :)

The Refrom encoding library, also known as the OWASP Encoding Project, provides conservative functions for performing different types of encoding’s that are needed in today’s web applications in a large variety of languages.  Currently there is support for: Java, C, Python, Perl, PHP, Ruby, JavaScript, ASP.NET, and Classic ASP.  All of the Reform functions are internationalization safe, are easy to use, and prevent all known types of XSS issues when used correctly.

What is encoded?

  • Everything but: A-Z, a-z, 0-9, space [ ], comma [,], and period [.]
  • Unicode is always encoded

28 weeks later dvdrip In Search of a Midnight Kiss hd download Wendy and Lucy dvd

The following functions are provided:

  • HtmlEncode — Encode data for display in a block of HTML or HTML attribute.
  • JsEncode — Encode data into a JavaScript literal
  • VbsEncode — Encode data into a VBScript string literal

Microsoft’s AntiXss Library

An alternative to Reform is the Microsoft AntiXss Library.  Both libraries are functionally equivalent and in fact were designed by the same people.

Reform can be downloaded from here.

Sneakers video

~ by meddington on May 19, 2008.

Posted in Security

4 Responses to “Preventing XSS with Correct Output Encoding”

  1. Greta post, thanks!

    I think it’s too easy to skip validation of outputted code when rushing to finish a form.

    It may not seem like a big deal if a script kiddie spams the form with popups, but what would happen if they stole cookies related to the form?

    Well worth taking the time to think about security, in my opinion!

    Security Blog said this on October 15, 2008 at 1:54 am | Reply

  2. Greta post, thanks!

    I think it’s too easy to skip validation of outputted code when rushing to finish a form.

    It may not seem like a big deal if a script kiddie spams the form with popups, but what would happen if they stole cookies related to the form?

    Well worth taking the time to think about security, in my opinion!

    Security Blog said this on October 15, 2008 at 1:54 am | Reply

  3. Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

    sandrar said this on September 10, 2009 at 2:48 pm | Reply

  4. Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

    sandrar said this on September 10, 2009 at 2:48 pm | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.