Anti XSS and Classic ASP

17
votes

I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?

If not do you have any ideas how I could go about sanitizing the strings?

5
securityasp-classicxss

5 Answers

18
votes

To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions 

Server.HTMLEncode(string)

The two most important countermeasures to prevent cross-site scripting attacks are to:

  • Constrain input.
  • Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)

1
votes

If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp
with objRegExp
    .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"
    .IgnoreCase = varIgnoreCase
    .Global = True
end with
cleanString = objRegExp.replace(originalString, "")
0
votes

Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.

-1
votes
<% 
Response.AddHeader "X-XSS-Protection", "1" 
%>