Amazon.com Widgets All posts tagged 'microsoft'

WilliaBlog.Net

I dream in code

About the author

Robert Williams is an internet application developer for the Salem Web Network.
E-mail me Send mail
Code Project Associate Logo
Go Daddy Deal of the Week: 30% off your order at GoDaddy.com! Offer expires 11/6/12

Recent comments

Archive

Authors

Tags

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.


New and Improved Microsoft AntiXss 3.1.

Until now, the preferred way to selectively allow only certain HTML tags like <b> and <i> was to regex the input to ensure it contained only valid Unicode letter and number characters and those specified tags, something like this:

if (!Regex.IsMatch(input, @"^([\p{L}\p{N}'\s]|<b>|</b>|<i>|</i>){1,40}$")) throw new Exception();

This approach will prevent all unwanted tags, but it will also prevent all attributes on the allowed tags. Sometimes this is good – attackers can add malicious script to onmouseover attributes of <b> and <i> tags – but again, sometimes this is overkill and blocks the use of benign attributes like lang or title. It would be theoretically possible to extend the regular expression to allow these attributes, as well as other safe HTML tags and their attributes, but realistically that would be an incredibly difficult regex both to develop and maintain.

AntiXss 3.1 takes care of all of this logic for you, using the same whitelist approach: it filters the input using a list of known good tags and attributes and strips out all other text. Simply pass the untrusted input through the AntiXss.GetSafeHtml or GetSafeHtmlFragment method to sanitize it:

string output = AntiXss.GetSafeHtml(input);

I strongly encourage everyone to download the new AntiXss 3.1 and incorporate it into your applications starting today. It’s a very effective defense, especially when used in conjunction with the output encoding functionality that’s been a part of AntiXss from the beginning.

Read the Full Article Here.

Download AntiXss 3.1 from Microsoft.


Posted by Williarob on Tuesday, September 29, 2009 1:50 PM
Permalink | Comments (0) | Post RSSRSS comment feed

Outlook Junk Email Filter Stops Working

After months without a problem, I suddenly found that my Outlook 2003 Inbox was full of Spam and that the junk email box was empty. It was as if the junk email filter had been turned off or the rule deleted. I checked the settings but it all looked normal. The last thing I did the day before was install the Microsoft Expression Suite. A quick web search on Google revealed a lot of other people have noticed their Junk Email filter quit unexpectedly also, some after installing Expression Web which probably uses some Microsoft Office 2007 components. Most of the solutions I found suggested removing the email account and re-adding it, or reinstalling Outlook. Keeping those options in mind as my last resort, I frist tried uninstalling the last Junk Email Filter update that was installed via Microsoft Update. Go to Add/Remove Programs > check the 'Show Updates' Box to find it.), Close Outlook, then run Office Update again to re-install the Junk Email Filter update. It worked. I Hope this saves other people the hassle of reinstalling.

Edit: This just happened again, but this time for a different reason - I had added my own email address to the Safe Recipients list. When you do that, all emails sent to that address will then be automatically marked as "not junk".

To remove yourself from the Safe Recipient list;

  • Tools-> Options…
  • button “Junk E-Mail…”
  • tab “Safe Recipients”
  • Select your own address and press “Remove”

Posted by Williarob on Tuesday, December 16, 2008 7:20 AM
Permalink | Comments (0) | Post RSSRSS comment feed