Tutorial :Anti XSS and Classic ASP


I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application?

If not do you have any ideas how I could go about sanitizing the strings?


To sanitize strings I would HTML encode all output, that way you don't have to dink around with special characters or huge regex expressions


The two most important countermeasures to prevent cross-site scripting attacks are to:

  • Constrain input.
  • Encode output.

via How To: Prevent Cross-Site Scripting in ASP.NET (i know i'ts not classic asp but there are similar principals)


When functions don't exist in classic ASP, write them.


If you do have to allow certain HTML tags (as I do in my current project), you can use a regex to allow only those tags and no others, like so:

set objRegExp = new RegExp  with objRegExp      .Pattern = "<^((b)|(i)|(em)|(strong)|(br))>.*</.*>"      .IgnoreCase = varIgnoreCase      .Global = True  end with  cleanString = objRegExp.replace(originalString, "")  


Not easily - you'd need to make a COM-callable wrapper, install on the servers, etc. I simply don't think it is a suitable fit for "classic" ASP.


<%   Response.AddHeader "X-XSS-Protection", "1"   %>  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »