How to use AntiXss in my Project?

Girish Chaudhari picture Girish Chaudhari · Jun 2, 2011 · Viewed 10.6k times · Source

I want to use AntiXss library function in my web application. I have a web application which contain asp.net pages with Jquery code in code behind. Whole asp.net pages run through Jquery js pages. I want to apply the encoding function to some fields, but the problem is how to apply and where to apply the encoding unction - (In jquery page where to set value to show on output window 0r on the server side code where get data API called in cs files.) And which function to use in this scenarios (HtmlEncode, JavascriptEncode, etc)

Thanks in advance

Answer

VinayC picture VinayC · Jun 2, 2011

The basic idea behind preventing XSS attacks is that all input data (from user or say external application) should be treated as untrusted/un-safe and hence must be either validated while accepting and/or encoded while reproducing in output (html, js etc).

AFAIK, AntiXss is an server side library, so you cannot use it to encode values in browser. You have to apply encoding (to html/html attribute/JS etc) at server side before sending those values to client (e.g. in aspx page or in asmx/SCF services that are sending data to client where java-script is going to treat the data as an html or script).

See this article - although its dated, it is still a good resource to start with AntiXss lib and it also lists scenarios for using various encoding methods under "Determining Encoding Method to Use"