- This is not input validation. This is output validation (to mitigate the “echoing untrusted input” problem which is common in HTML ). So input validation techniques including the ASP.net ValidateInput attribute are still valid and compliment the XSS Lib.
- This does not replace HtmlEncode and friends – there are scenarios where they are still valid. Think of XSS Lib as an HtmlEncode implementation specifically designed from out output validation perspective
- The principle of inclusion mentioned in XSS Lib is not described anywhere on the XSSLib page, so here is a small commentary:
The principle of inclusion or the principle of whitelisting is the idea of checking for good, known stuff as against checking for bad, unknown stuff. Most validation checks look for bad data and that can be leaky since it assumes that the check was aware of all bad data possible. This approach, which is called black-listing or exclusion, is deprecated by the approach of white-listing or inclusion where the check looks for good data which is known to the check. The principle can be used for both input validation (like in ValidateInput) or output validation (like this XSS Lib).
- Like everything else in security, this is not a 100% safety net and it is still important to do threat modeling of your application
While we can check for valid characters (in output or input), it is entirely possible that in a future date, an attack can be created by combining safe characters in a specific way. The attach may not be general purpose, but directed against a specific application. So developers are encouraged to use the platform facilities and also do their own threat modeling to come up with potential attach scenarios not mitigated by the platform.
Recent Comments