Which ASP.NET Controls Automatically HTML Entity Output Encodes?
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used.
Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx
Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx
This guy is an idiot. His _stolen_ work came from the Microsoft Press book, "Hunting Security Bugs".
What I'd like to see is the list updated (that list is for ASP.NET 2.0) and each method sorted for source or sink potential. It's already in the static analysis tools anyways, so this hardly really matters. Even the free XSSDetect tool does a better job than this spreadsheet.
Posted by: Anonymous | Sep 11, 2008 11:08:43 AM
The content is not stolen and was provide by Tom Gallagher team which came from the ASP.NET team directly. I just decided to post it online since it answered a lot of questions I received from developers. The full data is also not part of the "Hunting Security bugs" book. If you have a copy that contains it, provide ISBN.
It's true that XSSDetect is aimed at detecting such flaw but the reason for the spreadsheet is to give information de developers while they are coding. Also, the public XSSDetect or even internal versions are not catching every cases so using the content is still very helpful during code review. There will be more posting about that in the next few weeks.
Posted by: Sacha | Sep 11, 2008 11:43:16 AM