Microsoft's AntiXSS library has been broken for 6 months and it looks abandoned (that may or may not officially be the case). Due to a security issue with previous versions, it is not safe to rollback to an earlier release. Are there any good actively developed alternatives for AntiXSS and web security in general when working with the Microsoft (specifically MVC) stack?
问题:
回答1:
There's a new xss sanitizer shipping with the June 2012 release of the ajax control toolkit. The toolkit was originally using the microsoft anti xss library as well, so they experienced the same problems. The new sanitizer is based off the HtmlAgilityPack
See http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx
回答2:
I have the same issue and I've been looking high and low for a solution but haven't found anything else out there.
Basically, I think the only option moving forward is to use some flavour of WMD (like they do here on Stackoverflow)... send it back to the server as WMD markup then save it in the database as HTML and then convert it html when spitting it out on the page on the server.
This could be a good start: http://code.google.com/p/pagedown/
回答3:
Have you had a look at the Open Web Application Security Project (OWASP)? Troy Hunt has a good post about it on his blog, check it out here:
http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html
Note that I haven't worked with it myself so I'm not certain wether it is what you'r looking for, just thought I'd share it.