Microsoft 防跨站点脚本库AntiXSS Library v4.2.1

Posted 张善友

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Microsoft 防跨站点脚本库AntiXSS Library v4.2.1相关的知识,希望对你有一定的参考价值。

AntiXSS 库目前处于版本 4.2.1,下载地址:http://www.microsoft.com/download/en/details.aspx?id=28589。它经历了一次非常棒的重新编写过程,并且就安全性而言,它提供了比 ASP.NET 附带的编码器更好的 html 编码器。 并不是说 Server.HtmlEncode 有什么问题,只是它侧重于兼容性而不是安全性。

AntiXSS 库目前处于版本 4.2.1,下载地址:​​http://www.microsoft.com/download/en/details.aspx?id=28589​​​。它经历了一次非常棒的重新编写过程,并且就安全性而言,它提供了比 ASP.NET 附带的编码器更好的 HTML 编码器。 并不是说 Server.HtmlEncode 有什么问题,只是它侧重于兼容性而不是安全性。 AntiXSS 使用不同的方法进行编码。 有关详细信息,请访问 ​​msdn.microsoft.com/security/aa973814​​​。Jon Galloway 在 ​​http://weblogs.asp.net/jgalloway/archive/2011/04/28/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net.aspx​​ 中发布了有关此内容的精彩文章。

This release addresses a vulnerability in the HTML Sanitizer, MS12-007 ​​http://technet.microsoft.com/en-us/security/bulletin/ms12-007​​​ and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.
The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.
In addition to the change necessary to correct the vulnerability there are a few new features;

  • Minimum Requirements.

You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

  • Invalid Unicode no longer throws an exception.

Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

  • UrlPathEncode added.

The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

  • .NET 4.0 encoder support.

There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

 

​保护您的 ASP.NET 应用程序​

​SRE with Antixss Module​




以上是关于Microsoft 防跨站点脚本库AntiXSS Library v4.2.1的主要内容,如果未能解决你的问题,请参考以下文章

Anti XSS 防跨站脚本攻击库

asp项目中如何防止xss攻击

使用AntiXSS库方法

五品达通用权限系统__pd-tools-xxs(防跨站脚本攻击)

五品达通用权限系统__pd-tools-xxs(防跨站脚本攻击)

五品达通用权限系统__pd-tools-xxs(防跨站脚本攻击)