AntiXSS Issue Tracker Rss Feed

Created Issue: calling AntiXss.GetSafeHtmlFragment() removes all text after the illegal text [10875]

thejonz — Tue, 03 Nov 2009 23:34:56 GMT

When I call AntiXss.GetSafeHtmlFragment() all the text after any illegal script text is also removed.

For example:
if a user types in "<script>alert('hi');</alert>This text is removed" and AntiXss.GetSafeHtmlFragment() is called the result will be an empty string

or in other words AntiXss.GetSafeHtmlFragment("<script>alert('hi');</alert>This text is removed") == ""

Commented Issue: SupressAntiXssEncoding Not working [10091]

anilkr — Sat, 24 Oct 2009 01:21:21 GMT

In the AntiXSS Library Help, it says to to do the following to supress individual controls:

[Microsoft.Security.Application.SecurityRuntimeEngine.SupressAntiXssEncoding()]

protected global::System.Web.UI.WebControls.Label Label1;

For my web page, in the designer file, I have the following:

[Microsoft.Security.Application.SecurityRuntimeEngine.SupressAntiXssEncoding()]
protected global::System.Web.UI.WebControls.Literal litMainMenu;

And attached is my antixssmodule.config.

I'm wondering if I'm missing something or why it's not supressing the antixss encoding. I've also tried with label controls, and it does the same behavior.

Thanks for any help in advance.
Comments: ** Comment from web user: anilkr **

This is now fixed in the next version of SRE which will be released as part of WPL v1.0 release.

Closed Issue: Anti-Xss Module configuration file does not work properly [8561]

anilkr — Sat, 24 Oct 2009 01:19:13 GMT

I have a site (.Net 3.5) where I want to use the Anti-Xss module. I was looking at the code and I've seen that it has a lot of "span" tag that are runat server. While doing my test, I used the default configuration file (antixssmodule.config) having almost all controls inside the config. It was still showing the html as html. Then I tried to add the following line inside the config file:

<ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlGenericControl" PropertyName="InnerHtml" EncodingContext="Html" />

Because "span" is a "HtmlGenericControl", I was pretty sure that would work but it doesn't. Is there any reason why it would not work?

Thank you in advance.
Comments:

Not fixable at this point in SRE.

Closed Issue: Title property for System.Web.UI.Page [10199]

anilkr — Sat, 24 Oct 2009 01:18:08 GMT

In the antixssmodule.config, the entry for the property Title for the type System.Web.UI.Page generates an error when the <head> tag does not have a runat="server" property. By default the <head> does not have a runat="server" in most *.aspx pages.
Comments:

Fixed in the next version of SRE, which will be released as part of WPL v1.0

Closed Issue: Dependancy of Microsoft.ACESec.WebControls with Microsoft.ACESec.IOSec.dll [9547]

anilkr — Sat, 24 Oct 2009 01:17:08 GMT

We are using Microsoft.ACESec.Webcontrols & Microsoft.ACESec.IOSec.dll in one of our application. When we try to replace the Microsoft.ACESec.IOSec.dll with AntiXss library, error is thrown because of Microsoft.ACESec.WebControls internally referes Microsoft.ACESec.IOSec.dll which is removed by us.
Is there any release on ACESec.Webcontrols AntiXss library
Could you please provide pointers to resolve this dependancy.
Comments:

This library is deprecated due to the overlapping features in SRE.

Commented Issue: Dependancy of Microsoft.ACESec.WebControls with Microsoft.ACESec.IOSec.dll [9547]

anilkr — Sat, 24 Oct 2009 01:16:43 GMT

SRE provides many features that are provided by the controls. Thus this library is deprecated

Commented Issue: Title property for System.Web.UI.Page [10199]

anilkr — Sat, 24 Oct 2009 01:14:30 GMT

Fixed in the next version of SRE. WPL v1.0

Created Issue: Incorrect handling of HTML entities [10794]

nesteruk — Fri, 16 Oct 2009 21:55:07 GMT

Entities like LT and GT are encoded correctly, but entities like ENDASH, EMDASH, SIGMA, BULL and others get replaced by their unicode counterparts instead of being kept as they are.

Commented Issue: AntiXSS clears child controls from Hyperlink [10644]

limande — Wed, 14 Oct 2009 12:38:49 GMT

If a Hyperlink has child controls they will be cleared if AntiXSS is set to protect the Text property of Hyperlink controls. Using Reflector shows that setting the Text property (of Hyperlink controls) clears its child controls. I believe this could be fixed if AntiXSS would only set the Text property if it is not blank. I'm using the AntiXSS V3.1 release.
Comments: ** Comment from web user: limande **

it's same with TableCell and TableHeaderCell and LinkButton

Commented Issue: AntiXSS clears child controls from Hyperlink [10644]

limande — Wed, 14 Oct 2009 11:42:25 GMT

I have not this issue ?!

Commented Issue: Encoding for HtmlGenericControl is not compatible with (e.g., MasterPages) [10635]

limande — Wed, 14 Oct 2009 11:13:43 GMT

The following exception is generated (V3.1 release).

TargetInvocationException: Exception has been thrown by the target of an invocation. --->System.Web.HttpException: Cannot get inner content of because the contents are not literal.
at System.Web.UI.HtmlControls.HtmlContainerControl.get_InnerHtml()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.RuntimePropertyInfo.GetValue(Object obj, BindingFlags invokeAttr, Binder binder, Object[] index, CultureInfo culture)
at System.Reflection.RuntimePropertyInfo.GetValue(Object obj, Object[] index)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.EncodeControl(Control control, String type)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.FindAndEncodeControls(Page p, ControlCollection cc)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.FindAndEncodeControls(Page p, ControlCollection cc)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.EncodePage(Page p)
at Microsoft.Security.Application.SecurityRuntimeEngine.PageProtection.XssProtection.page_PreRender(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Web.UI.Control.OnPreRender(EventArgs e)
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Comments: ** Comment from web user: limande **

when could it be solved ?

Commented Issue: Encoding for HtmlGenericControl is not compatible with (e.g., MasterPages) [10635]

me1 — Sun, 20 Sep 2009 11:58:26 GMT

Same issue here for all pages in the application with and without master pages.

Created Issue: AntiXSS clears child controls from Hyperlink [10644]

Capsaicin — Thu, 17 Sep 2009 18:20:06 GMT

Created Issue: Encoding for HtmlGenericControl is not compatible with (e.g., MasterPages) [10635]

Capsaicin — Wed, 16 Sep 2009 20:15:58 GMT

Created Issue: Controls in Repeater's ItemTemplate are not encoded [10634]

Capsaicin — Wed, 16 Sep 2009 20:12:00 GMT

I have a simple repeater with an ObjectDataSource and a Label in the ItemTemplate. The labels text is not encoded.

<asp:repeater id="uxListRepeater" datasourceid="uxListDataSource" runat="server">
<itemtemplate>
<asp:label id="uxLabel" text='<%# Eval("MyField") %>' runat="server" />
</itemtemplate>
</asp:repeater>
<asp:objectdatasource id="uxListDataSource" runat="server" typename="MyBll" selectmethod="GetMyData"></asp:objectdatasource>

Commented Issue: AntiXss.UrlEncode encodes a complete url instead of just parameters

syedab — Tue, 07 Jul 2009 12:34:54 GMT

Doing this
string s = AntiXss.UrlEncode("http://antixss.codeplex.com/WorkItem/Create.aspx?ProjectName=AntiXSS");

Results to this:
http%3a%2f%2fantixss.codeplex.com%2fWorkItem%2fCreate.aspx%3fProjectName%3dAntiXSS

which is unusable.

Only parameters should be encoded.
Comments: ** Comment from web user: syedab **

All the methods in the AntiXSS library encodes the given input. You should be using <a href=”http://search.msn.com/results.aspx?q=[Untrusted input]”>Click Here!</a>

Created Issue: AntiXss.UrlEncode encodes a complete url instead of just parameters

sigmb — Mon, 06 Jul 2009 19:25:04 GMT

Created Issue: AntiXssModule encoded data after postback

sigmb — Mon, 29 Jun 2009 23:05:09 GMT

In the AntiXssModule, controls are encoded before rendering. But when a control's data is used after a postback it is returning the encoded string.
Example

if(!Page.IsPostBack)
{
Label1.Text = "<sript>alert('Hello world');</script>";
}
else
{
Button1.Text = Label1.Text; // data is html encoded, should be decoded
}

Real world example

if(!Page.IsPostBack)
{
Label1.Text = "2009/06/29";
}
else
{
Button1.Text = DateTime.Parse(Label1.Text); // data is html encoded, creates an error
}

Created Issue: Empty String or Null properties are still encoded

sigmb — Fri, 26 Jun 2009 17:26:55 GMT

Empty String or Null properties are still encoded. This generates an error when the property was intended to have a null value and the AntiXss's encode method returns an empty string. Good example is a ListBox with values. The Text property for ListBox auto selects a value in the list item. Since an empty string is returned, ASP.NET generates an error:
'ListBox' has a SelectedValue which is invalid because it does not exist in the list of items.

Created Issue: Title property for System.Web.UI.Page

sigmb — Fri, 26 Jun 2009 17:21:20 GMT