When I first started learning .NET back in 2005, I bought an ASP.NET 2.0 in 24 Hours type book to get the ball rolling. .NET was my first managed language, so it all was pretty new to me. I had spent plenty of time writing in C/C++ and PHP. I didn’t care about security, I just wanted it to work. Fast forward a few years and I’m now a security guy. When I read how-to books now, I’m always looking for security vulnerabilities in sample code. This is a common problem and really starts new programmers on the wrong foot. I completely understand wanting to make sample code very easy to understand, but if we keep security an advanced topic, it never gets read. I’m guilty of reading 2/3rd of a programming book and then not finishing it because I want to go code. We need to build security into every step of our curricula just as we do our SDLCs.
This weekend I was looking at a Microsoft tutorial on MVC 3. They have a basic example of a HelloWorld app that echoes out a name from the GET request. When I saw them setting up the example, I quickly thought cross-site scripting.
I was surprised to see the HtmlEncode method there, well done Microsoft! While this function only partially fixes the problem (HtmlEncode from the HttpUtility class only HTML encodes certain characters, so XSS is still possible but difficult). Using the AntiXss library would have been better. They also don’t explain why they HTML encoded the output. A simple paragraph stating we do this to fight XSS and here’s a link for more info would have been good. Nevertheless, I was happy to see this. My hat’s off to you Microsoft.