…meie igapäevast IT’d anna meile igapäev…


XSS protection: encode all class string properties easily

Filed under: ASP.NET MVC,Programmeerimine — Sander @ 11:58:40
Tags: , , ,


Protecting your web applications against XSS or cross-site scripting should be a no-brainer for web programmers. The vulnerability is well-known and understood.

And yet, by far the majority of website security vulnerabilities are XSS-related. Either we forget to strip the tags, or whitelist the tags, or encode the string – or in many cases, deem it as an unnecessary precaution.

Don’t do the latter. Always minimize the attack surface, even if you’re doing an intranet web application for six users. There is no such thing as an application or website that is completely secure, but that is what we should aim for, even though the goal is impossible.

To help with encoding, I created a helper class that will automatically help to encode/whitelist/strip the tags from all writeable string properties from a class, be it DTO, viewmodel, entity from EF or elsewhere. Note that this is NOT a complete solution – you need to decide which type of protection to implement, see the newValue variable. Tag whitelist or wholesale HttpUtility.HtmlEncode() are probably your best bets (I’ll try do an article about HTML tag whitelisting next week).

I also encourage you to extend and improve my solution, as there are great many things that could be added – such as allowing for specific XSS protection for different fields (using an attribute, for example), encoding of string in arrays/lists/dictionaries, to work with fields and private properties and so forth.

HtmlEncoder has just one method – EncodeHtml() – with two signatures. You can specify which properties to exclude from XSS protection, ie. say you have a DTO class of a comment – with string properties such as Content, Email, Name, Website and Signature. You want to allow limited HTML in the signature and content, so you don’t want them to be completely encoded and therefore need to exclude them.

  • HtmlEncoder.EncodeHtml(myCommentDto); if you want all of the string properties to be affected.
  • HtmlEncoder.EncodeHtml(myCommentDto, x => x.Content, x => x.Signature); – exclude Content and Signature using lambda expressions. This is the preferred method of excluding properties, as the compiler will catch typos or property name changes. You will not get an error, if you add a non-string property by accident.
  • HtmlEncoder.EncodeHtml(myCommentDto, "Content", "Signature"); – exclude Content and Signature specifying the property names as strings. Note that typos or property name changes mean that the property will still be encoded. You may even want to declare this method private, so other programmers will not be able to use it and introduce subtle, hard to find bugs.

And here is the class. Happy encoding!

  1. /// <summary>
  2. /// Helper to escape HTML in all string fields of a class.
  3. /// </summary>
  4. public static class HtmlEncoder
  5. {
  6.     /// <summary>
  7.     /// Encodes the HTML in all writeable public string properties, which are not included into excludedProperties expressions
  8.     /// Use: HtmlEncoder.EncodeHtml(comment, x => x.CommentBody, x => x.SomeOtherProperty, x => x.CreatedBy, x => x.CreatedDate);
  9.     /// or: HtmlEncoder.EncodeHtml(comment); if you don't need to exclude any fields
  10.     /// Non-string properties will not be affected and no error is thrown if you include them to the excluded properties
  11.     /// All values of the excluded string properties will not be changed
  12.     /// </summary>
  13.     /// <typeparam name="TEntity">The type of the entity.</typeparam>
  14.     /// <param name="entity">The entity.</param>
  15.     /// <param name="excludedProperties">The excluded properties.</param>
  16.     public static void EncodeHtml<TEntity>(TEntity entity, params Expression<Func<TEntity, object>>[] excludedProperties) where TEntity : class
  17.     {
  18.         EncodeHtml(entity, GetExcludedStringPropertyNames(excludedProperties).ToArray());
  19.     }
  21.     /// <summary>
  22.     /// Encodes the HTML in all writeable public string properties, which are not included into excludedProperties
  23.     /// Use: HtmlEncoder.EncodeHtml(comment, "CommentBody", "SomeOtherProperty", "CreatedBy")
  24.     /// All values of the excluded string properties will not be changed
  25.     /// </summary>
  26.     /// <typeparam name="TEntity"></typeparam>
  27.     /// <param name="entity"></param>
  28.     /// <param name="excludedProperties"></param>
  29.     public static void EncodeHtml<TEntity>(TEntity entity, params string[] excludedProperties) where TEntity : class
  30.     {
  31.         var stringProperties = typeof(TEntity).GetProperties(BindingFlags.Instance | BindingFlags.SetProperty | BindingFlags.Public)
  32.             .Where(x => x.PropertyType == typeof(string) && !excludedProperties.Contains(x.Name)).ToList();
  34.         foreach (var propertyInfo in stringProperties)
  35.         {
  36.             var value = (string)propertyInfo.GetValue(entity, null);
  38.             if (!string.IsNullOrWhiteSpace(value))
  39.             {
  40.                 //Apply here a suitable method of encoding – replace, wholesale HtmlEncode(), tag whitelisting or something else
  42.                 var newValue = value.Replace('<', ' ').Replace('>', ' ');
  43.                 //var newValue = HttpUtility.HtmlEncode(value);
  46.                 propertyInfo.SetValue(entity, newValue, null);
  47.             }
  48.         }
  49.     }
  51.     /// <summary>
  52.     /// Get from expressions only writeable string property names, so we know what to exclude.
  53.     /// </summary>
  54.     /// <typeparam name="TEntity"></typeparam>
  55.     /// <param name="expressions"></param>
  56.     /// <returns></returns>
  57.     private static List<string> GetExcludedStringPropertyNames<TEntity>(params Expression<Func<TEntity, object>>[] expressions)
  58.     {
  59.         var propertyNames = new List<string>(expressions.Length);
  61.         //this can be completely LINQ, but is way easier to debug and understand as foreach
  62.         foreach (var expression in expressions)
  63.         {
  64.             if (expression.Body.NodeType == ExpressionType.MemberAccess)
  65.             {
  66.                 var memberExpression = (MemberExpression)expression.Body;
  67.                 var info = memberExpression.Member as PropertyInfo;
  68.                 if (info != null && info.CanWrite && info.PropertyType == typeof(string))
  69.                 {
  70.                     propertyNames.Add(memberExpression.Member.Name);
  71.                 }
  72.             }
  73.         }
  74.         return propertyNames;
  75.     }

Create a free website or blog at WordPress.com.