Wednesday 6 February 2013

SRE and Package HtmlAgilityPack Sanitizer as a stand alone module (at OWASP .Net)

Here's an email I wrote to Jim Manico on the owasp-leaders list about the Microsoft's SRE (Secure Runtime Engine) which is part of the WPL Web Protection Library http://wpl.codeplex.com (where AntiXSS comes from) and the Sanitization/Encoding capabilities of the HtmlAgilityPack

tl;rd: There is a good opportunity for OWASP to be involved since there doesn't seem to be a clear solution out there (at the moment)
-------------------------------------------------------------------

What I like about the SRE (which I have used before) is that it is highly configurable and allows the injection (via reflection) of 'encoding' (and other security measures) directly into controllers. And yes it can take into account the content of the encoding since we can set the encoding context to Html, HtmlAttribute, Url, Xml XmlAttribute or SafeHtml.

Here are some good references:
Now the HtmlAgilityPack is an interesting option (http://htmlagilitypack.codeplex.com/), I actually already it and like it a lot (for example TeamMentor uses HtmlAgilityPack to create well formatted/normalized Html content)

But, the problem with the reference that you showed (http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx) is that it depends on the http://AjaxControlToolkit.CodePlex.com (i.e. the Sanitization Library that uses the HtmlAgilityPack is part of the AjaxControlTookKit and has a hard dependency on it).

I actually spent some time today trying to see if I could use the HtmlAgilityPack in TeamMentor, and I have to say that as a Developer, what I saw was not very solid. Basically I'm not that confident (as a developer)  to use the HtmlAgilityPack for Sanitization, because:
  • the issue I raised above (dependency on AjaxControlToolkit),
  • no code samples easily found, 
  • questions like this Suitability for XSS prevention 
  • the fact that the AjaxControlToolkit Sanitizer is a massive RegEx (had a look at the code), and
  • I don't want to write my own version of the Sanitizer
I actually think that there is a good opportunity for OWASP, namely the OWASP-dotnet project, to be involved, since there is clearly a gap here. 

The AntiXSS is currently to strict and there are no other easier to add (and deploy) solutions (specially one available via NuGet).

I will see If we can do something about this at the OWASP-dotnet project, maybe we could fork the AjaxControlToolkit Sanitizer and make it a stand alone project.