Invented here syndrome February 27, 2015 by eksith Share this:Click to share on Facebook (Opens in new window)Click to share on Twitter (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on Pinterest (Opens in new window)Click to share on Tumblr (Opens in new window)MoreClick to share on LinkedIn (Opens in new window)Click to share on Pocket (Opens in new window)Click to email a link to a friend (Opens in new window)Like this:Like Loading... Related
Seems like a good a place as any to ask about your AntiXss article: https://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
Have you come across any better strategies? Also, in 4.3.0, the Microsoft.Security.Application.Encoder.CssEncode is turning the styles into this: style=”text0002Dalign0003A00020center0003B00020″ Is this intended?
Thank you sir,
I’m afraid to say, the AntiXSS module is now completely and hopelessly broken in this regard. I honestly haven’t found any good workarounds as long as AntiXSS is involved so we’ve built a module from scratch using HtmlAgilityPack and regex filtering attributes. The custom filtering takes place around lines 145 – 154 in my example.
It’s not ideal, but it seems to work so far (our bit of code is tied up in licenses, but there are lots of examples out there of stripping unsafe chars).
We’ve also moved on from the .Net framework lately. There were too many breaking changes, too many hurdles and, dare I say, too much bloat in lot of the web development tech Microsoft has put out to justify the time cost to developers. Our operation has since switched almost entirely to Python and PHP (yes, even PHP was more attractive here). These are just symptoms of a bigger cultural problem at Microsoft and I don’t know if things will ever change under new management.
If you can at all move on from ASP.Net, I’d strongly recommend you do so. I already did.
Good luck on your project!