O2 Script: AntiXSS – Test multiple Encodings
On the topic of AntiXSS here is a script I wrote ages ago called “AntiXSS – Test multiple Encodings.h2” which shows quickly the different behaviours of the different .NET encoding APIs:
Here is the source of this script:
var topPanel = O2Gui.open<Panel>("AntiXSS and HttpUtility encodings", 600,300);
var result = topPanel.add_TextArea();
Action<string> showEncodings =
(textToEncode)=>{
result.set_Text("");
result.append_Line("AntiXss.HtmlEncode -> {0}".format(AntiXss.HtmlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("AntiXss.UrlEncode -> {0}".format(AntiXss.UrlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("AntiXss.JavascriptEncode -> {0}".format(AntiXss.JavaScriptEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("System.Web.HttpUtility.HtmlEncode -> {0}".format(System.Web.HttpUtility.HtmlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("System.Web.HttpUtility.UrlEncode -> {0}".format(System.Web.HttpUtility.UrlEncode(textToEncode)));
result.append_Line("------------------------");
result.append_Line("Original string (unencoded) -> {0}".format(textToEncode));
result.append_Line("------------------------");
};
var testPayload = "abc 123 \" ' < > \n : ; ".line() + "After an Enter";
result.insert_Above<Panel>(20)
.add_LabelAndTextAndButton("Payload", testPayload, "convert", showEncodings);
showEncodings(testPayload);
//return AntiXss.HtmlEncode(payload);
//return "AntiXSSLibrary.dll".assembly().methods();
//using Microsoft.Security.Application
//O2Ref:AntiXSSLibrary.dll
2 Comments »
Leave a comment
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
OWASP O2 Platform Blog 
Can you run the OWASP ESAPI encoder test cases against it? That would be something.
Sure, I’ll try first with the .NET one.
Is there a way for me to consume the ESAPI Java Encoder from .NET?