OWASP O2 Platform Blog

O2 Script: AntiXSS – Test multiple Encodings

On the topic of AntiXSS here is a script I wrote ages ago called “AntiXSS – Test multiple Encodings.h2” which shows quickly the different behaviours of the different .NET encoding APIs:

Here is the source of this script:

var topPanel = O2Gui.open<Panel>("AntiXSS and HttpUtility encodings", 600,300); 
var result = topPanel.add_TextArea();
Action<string> showEncodings =
    (textToEncode)=>{
                        result.set_Text("");
                        result.append_Line("AntiXss.HtmlEncode -> {0}".format(AntiXss.HtmlEncode(textToEncode)));
                        result.append_Line("------------------------");
                        result.append_Line("AntiXss.UrlEncode -> {0}".format(AntiXss.UrlEncode(textToEncode)));
                        result.append_Line("------------------------");
                        result.append_Line("AntiXss.JavascriptEncode -> {0}".format(AntiXss.JavaScriptEncode(textToEncode)));
                        result.append_Line("------------------------");
                        result.append_Line("System.Web.HttpUtility.HtmlEncode -> {0}".format(System.Web.HttpUtility.HtmlEncode(textToEncode)));
                        result.append_Line("------------------------");
                        result.append_Line("System.Web.HttpUtility.UrlEncode -> {0}".format(System.Web.HttpUtility.UrlEncode(textToEncode)));
                        result.append_Line("------------------------");
                        result.append_Line("Original string (unencoded) -> {0}".format(textToEncode));
                        result.append_Line("------------------------");
                    };

var testPayload = "abc 123 \" ' < > \n :   ;   ".line() + "After an Enter";                    
result.insert_Above<Panel>(20)
      .add_LabelAndTextAndButton("Payload", testPayload, "convert", showEncodings);

showEncodings(testPayload);

//return AntiXss.HtmlEncode(payload);
//return "AntiXSSLibrary.dll".assembly().methods();
//using Microsoft.Security.Application
//O2Ref:AntiXSSLibrary.dll

November 16, 2011 - Posted by | .NET, AntiXss

2 Comments »

  1. Can you run the OWASP ESAPI encoder test cases against it? That would be something.

    Comment by Jeff Williams | November 18, 2011 | Reply

    • Sure, I’ll try first with the .NET one.

      Is there a way for me to consume the ESAPI Java Encoder from .NET?

      Comment by Dinis Cruz | November 20, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: