O2 Script: AntiXSS – Test multiple Encodings
On the topic of AntiXSS here is a script I wrote ages ago called “AntiXSS – Test multiple Encodings.h2” which shows quickly the different behaviours of the different .NET encoding APIs:
Here is the source of this script:
var topPanel = O2Gui.open<Panel>("AntiXSS and HttpUtility encodings", 600,300); var result = topPanel.add_TextArea(); Action<string> showEncodings = (textToEncode)=>{ result.set_Text(""); result.append_Line("AntiXss.HtmlEncode -> {0}".format(AntiXss.HtmlEncode(textToEncode))); result.append_Line("------------------------"); result.append_Line("AntiXss.UrlEncode -> {0}".format(AntiXss.UrlEncode(textToEncode))); result.append_Line("------------------------"); result.append_Line("AntiXss.JavascriptEncode -> {0}".format(AntiXss.JavaScriptEncode(textToEncode))); result.append_Line("------------------------"); result.append_Line("System.Web.HttpUtility.HtmlEncode -> {0}".format(System.Web.HttpUtility.HtmlEncode(textToEncode))); result.append_Line("------------------------"); result.append_Line("System.Web.HttpUtility.UrlEncode -> {0}".format(System.Web.HttpUtility.UrlEncode(textToEncode))); result.append_Line("------------------------"); result.append_Line("Original string (unencoded) -> {0}".format(textToEncode)); result.append_Line("------------------------"); }; var testPayload = "abc 123 \" ' < > \n : ; ".line() + "After an Enter"; result.insert_Above<Panel>(20) .add_LabelAndTextAndButton("Payload", testPayload, "convert", showEncodings); showEncodings(testPayload); //return AntiXss.HtmlEncode(payload); //return "AntiXSSLibrary.dll".assembly().methods(); //using Microsoft.Security.Application //O2Ref:AntiXSSLibrary.dll
Can you run the OWASP ESAPI encoder test cases against it? That would be something.
Comment by Jeff Williams | November 18, 2011 |
Sure, I’ll try first with the .NET one.
Is there a way for me to consume the ESAPI Java Encoder from .NET?
Comment by Dinis Cruz | November 20, 2011 |