17

I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?

If not do you have any ideas how I could go about sanitizing the strings?

4

5 回答 5

18

To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions 

Server.HTMLEncode(string)

The two most important countermeasures to prevent cross-site scripting attacks are to:

  • Constrain input.
  • Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)

于 2009-04-07T14:05:08.437 回答
2

When functions don't exist in classic ASP, write them.

于 2009-04-07T14:51:41.677 回答
1

If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp
with objRegExp
    .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"
    .IgnoreCase = varIgnoreCase
    .Global = True
end with
cleanString = objRegExp.replace(originalString, "")
于 2009-10-28T19:49:22.750 回答
0

Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.

于 2009-04-07T14:00:57.353 回答
-1 
<% 
Response.AddHeader "X-XSS-Protection", "1" 
%>
于 2015-07-28T14:40:42.380 回答