Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Thời gian chạy động cơ bảo mật mới (SRE) HTTP mô-đun bảo vệ các ứng dụng, bằng cách sử dụng một cách tiếp cận tương tự như cơ chế xác nhận mặc định được cung cấp bởi ASP.NET, nhưng với nhiều tính năng.Thư viện Anti-XSS cung cấp các phương pháp được cụ thể nhắm mục tiêu đến đầu vào khác nhau không đáng tin cậy. | TECHNIQUE 63 Using Microsoft s Anti-XSS Library 275 TECHNIQUE 63 Using Microsoft s Anti-XSS Library Microsoft s Anti-XSS Library is a combination of functionalities that protect web applications. You can freely download it at http wpl.codeplex.com . At the time of this writing Anti-XSS Library is available in version 4. Version 3 introduced new features and it s been completely rewritten with performance in mind. A new Security Runtime Engine SRE HTTP module protects the applications using an approach that s similar to the default validation mechanism offered by ASP.NET but with more features. PROBLEM When you re dealing with XSS the simple HtmlEncode won t be enough. Sometimes you ll have to deal with user input that s to be added to JavaScript code tag attributes XML or a URL. You want to stay secure in these scenarios. SOLUTION The Anti-XSS Library offers more methods that are specifically targeted to different untrusted inputs. The methods used to encode the inputs are listed in table 10.2. Table 10.2 The main encoding methods of the Anti-XSS Library Method Description HtmlAttributeEncode The input is used as an HTML attribute like div class input . HtmlEncode The input is used in HTML but not on attributes . JavaScriptEncode The input is used in JavaScript code script type text javascript alert input script . VisualBasicScriptEncode The input is used in VBS code script type text vbs somecode script . UrlEncode The input is used in a URL parameter such as a query string. XmlAttributeEncode The input is used as an XML attribute. XmlEncode The input is used in XML output but not with attributes. The SRE HTTP module will be useful when you want to add more security without touching your existing application. Its intention is to add more security not to replace your current encoding strategies. SRE consists of a tool that analyzes an assembly and produces the corresponding configuration. Take a look at figure 10.8 for a peek at what it looks like. The tool will .