XSS, HttpEncode, AspView and being Secure By Default

   edit
Follow


If you know not what XSS is or how easily you can expose your application to XSS, take a short read at the next posts:

AspView was written by me, for my (and my employer at the time) use. Therefore, I did not make it ‘secure by default’ in terms of HttpEncode.

However, seeing now that the convention lean toward outputing HtmlEncode-ed by default, I’m adapting AspView to that.

The usage would be similar to the one suggested for Asp.NET MVC at http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/

So,

&lt;%="<tag&gt;" %>

would output

&amp;lt;tag&amp;gt;

While

&lt;%=RawHtml("<tag&gt;") %>

would output

&lt;tag&gt;

The only exception here is ViewContents on layouts. since the view contents is 99% of the times made of markup, so in the layout would still write:

&lt;%=ViewContents %&gt;

All of that stuff is being implemented with AspView trunk (versions 1.0.4.x) that works with Castle trunk.

If anyone wishes me to bubble it down to the 1.0.3.x branch (for Castle RC3), please leave your comments here. Unless I’ll see that people actually want that I would probably not make the effort.


Tweet Follow @kenegozi