Just in Chronicles

Life as a Voyage

Removing the “x_” Prefixes Injected by AntiXSS Library, from the “id” and “class” Attributes

leave a comment »

Microsoft Web Protection Library provides strong security protection while building a web site. By using this library, the web site can avoid XSS attacks. One of the benefits using this library is that the web site can sanitise users’ input, that means the HTML input can be filtered by the library.

However, during the sanitisation process, a prefix, "x_", intentionally prepends both "id" and "class" attributes of each HTML element. The reason is that the sanitisation process cannot guarantee which "id" and "class" values are safe or not, so each "id" and "class" attribute have their prefix "x_" as a result. This is, of course, not desirable. So, developers have to get rid of those prefixes from the HTML output.

public static string RemoveSanitisedPrefixes(string html)
{
	Match match = Regex.Match(html, "(id|class)=\"?(x_).+\"?", RegexOptions.IgnoreCase);
	if (match.Success)
	{
		string key = match.Groups[2].Value;
		html = html.Replace(key, "");
	}
	return html;
}

Once your HTML contents are sanitised by Microsoft.Security.Application.GetSafeHtml() or Microsoft.Security.Application.GetSafeHtmlFragment(), pass the sanitised HTML value to the method above, and you’ll get the "x_" removed HTML contents.

Advertisements

Written by Justin Yoo

16/04/2012 at 13:25

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s