Darrell Norton's Blog [MVP]

Sponsors

The Lounge

Syndication

Recent Posts

Tags

View more

News

  • Darrell Norton pic

    MVP logo

    View Darrell Norton's profile on LinkedIn

    Currently Reading:

    weewar.com

.NET User Group

Articles

Archives

Advertisement

Darrell Norton's Blog [MVP] » Avoiding cross-site scripting attacks with a Secure Label
Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
Avoiding cross-site scripting attacks with a Secure Label

Cross-site scripting (XSS) attacks are one of the easiest hacks to do, and usually pretty effective merely because developers do not guard against the threat.  It is a pain to have to write Server.HtmlEncode( string ) over and over again, or to go into the DataBindings for a label and customize the DataBinding expression to do this.  So instead we created a SecureLabel label.  It inherits from System.Web.UI.Label and overrides the Render, adding one line to HtmlEncode the label's text.  This way we kept all the designer support for a regular label.

Take the code, put it in a library, and just include the dll in your next project.  You can even add it to your component toolbox in VS.NET, so the next time you need a secure label, you can just drag and drop it on the page.  Here's the code:

using System.Web;
using System.Web.UI.WebControls;

namespace NorthropGrumman.APEB.StandardWebControls
{
    ///


    /// HTML-encodes text to prevent malicious scripting.
    ///
    public class SecureLabel : System.Web.UI.WebControls.Label
    {

public SecureLabel()
{ }

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
this.Text = HttpContext.Current.Server.HtmlEncode(this.Text);
base.Render(writer);
}

    }
}

Posted 07-25-2003 8:58 AM by Darrell Norton

[Advertisement]

Comments

Steve wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 07-25-2003 6:30 AM
Nice control! I'll have to steal that for my next project ;-)
Steve wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 07-25-2003 6:30 AM
Nice control! I'll have to steal that for my next project ;-)
Paul Laudeman wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 07-26-2003 4:20 AM

Nice!

Also, the .NET Framework 1.1 has a new feature for ASP.NET, turned on by default, that automagically strips out HTML characters from any input (from the Request and Response objects). This feature is known as "safe-postback" or "request validation" and you can find out more about it here:

http://www.asp.net/faq/RequestValidation.aspx

Also, if you are serious about securing your .NET applications (webforms or winforms), this book is a must-read:

Writing Secure Code, Second Edition
http://www.microsoft.com/mspress/books/toc/5957.asp
Paul Laudeman wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 07-26-2003 4:20 AM

Nice!

Also, the .NET Framework 1.1 has a new feature for ASP.NET, turned on by default, that automagically strips out HTML characters from any input (from the Request and Response objects). This feature is known as "safe-postback" or "request validation" and you can find out more about it here:

http://www.asp.net/faq/RequestValidation.aspx

Also, if you are serious about securing your .NET applications (webforms or winforms), this book is a must-read:

Writing Secure Code, Second Edition
http://www.microsoft.com/mspress/books/toc/5957.asp
Xavi Rompe wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 09-30-2004 3:54 AM
Easy and nice, very useful for html entities Rendering from user data input:

€ £ ©

Darrell wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 09-30-2004 4:30 AM
Xavi - I had not thought about those symbols, but I guess you've proved that they do work!
test wrote re: Avoiding cross-site scripting attacks with a Secure Label
on 12-28-2004 7:59 AM
<label>