AntiXSS in ASP.Net Core

xss asp.net-core-1.0
Tedd Hansen picture Tedd Hansen · Jun 20, 2016 · Viewed 15.5k times · Source

Microsoft Web Protection Library (AntiXSS) has reached End of Life. The page states "In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder."

I have a classic cross site scripting scenario: An ASP.Net Core solution where users can edit text using a WYSIWYG html-editor. The result is displayed for others to see. This means that if users inject a JavaScript into the data they submit when saving the text this code could execute when others visits the page.

I want to be able to whitelist certain HTML-codes (safe ones), but strip out bad codes.

How do I do this? I can't find any methods in ASP.Net Core RC2 to help me. Where is this white list encoder? How do I invoke it? For example I would need to clean output being returned via JSON WebAPI.

Answer

Darxtar picture Darxtar · Dec 21, 2016

The dot.net core community has a wiki on this.

You can inject encoders at a controller level (in the constructor) or reference System.Text.Encodings.Web.

More info can be seen here:

https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
What is the http-header "X-XSS-Protection"?

So I've been toying around with HTTP for fun in telnet now (i.e. just typing in telnet google.com 80 and putting in random GETs and POSTs with different headers and the like) but I've come across something that google.…

Read More
How to prevent XSS with HTML/PHP?

How do I prevent XSS (cross-site scripting) using just HTML and PHP? I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

Read More