none
Where is LdapFilterEncode? RRS feed

  • Question

  • I am working on a project using the .NET 4.5 framework. The company requires the application code to pass through a code analyzer, before it can go to production. 

    I have an LDAP class where I perform simple searches, but I need to encode the Filter of my queries to make this web application safer. I have found a lot of information on the internet talking about the System.Web.Security.AntiXss namespace, and specifically this website says to use Encoder.LdapFilterEncode(string).

    All I can find in that namespace, is what corresponds with the Microsoft documentation, which doesn't have an LdapFilterEncode method. Microsoft even mentions this namespace to prevent LDAP injection attacks on this website, but doesn't identify which method to specifically use for it.

    If the LdapFilterEncode is no longer being used, which method should I use in the AntiXss namespace? AntiXssEncoder.HtmlEncode(string, bool)?

    Here is a snippet of code to show you what I am working with, the issue is with the _DirectorySearcher.Filter line...

    using (DirectorySearcher _DirectorySearcher = new DirectorySearcher(_DirectoryEntry))
    {
        _DirectorySearcher.SearchScope = SearchScope.Subtree;
        _DirectorySearcher.Filter = string.Format("(sAMAccountName={0})", _User[1]);
        _DirectorySearcher.PropertiesToLoad.Add("mail");
        _DirectorySearcher.PropertiesToLoad.Add("displayName");
    }

    Any help would be greatly appreciated. Thank you in advance.

    Tuesday, July 9, 2019 12:46 PM

Answers

  • Hi mkruluts,

    Thank you for posting here.

    For your question, you want to use the LdapFilterEncode method. 

    First, you could try to Install-Package AntiXSS.

    Second, you could use the following code to call it.

       string a=Microsoft.Security.Application.Encoder.LdapFilterEncode("test1");

    Best Regards,

    Jack


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by mkruluts Wednesday, July 10, 2019 2:24 PM
    Wednesday, July 10, 2019 7:33 AM
    Moderator

All replies

  • See AntiXssEncoder Class

    https://docs.microsoft.com/en-us/dotnet/api/system.web.security.antixss.antixssencoder?redirectedfrom=MSDN&view=netframework-4.8


    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    Tuesday, July 9, 2019 1:29 PM
    Moderator
  • Karen,

    Thank you for the quick response.

    I already had a link to that page, and identified that class in my original post. One of my original questions was, if the LdapFilterEncode method is no longer available, which method in that AntiXssEncoder class should I use? 

    Tuesday, July 9, 2019 1:47 PM
  • Hi mkruluts,

    Thank you for posting here.

    For your question, you want to use the LdapFilterEncode method. 

    First, you could try to Install-Package AntiXSS.

    Second, you could use the following code to call it.

       string a=Microsoft.Security.Application.Encoder.LdapFilterEncode("test1");

    Best Regards,

    Jack


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by mkruluts Wednesday, July 10, 2019 2:24 PM
    Wednesday, July 10, 2019 7:33 AM
    Moderator
  • Jack,

    Thank you for the response.

    I actually stumbled across the NuGet package last night, and it worked as I wanted it to. Thank you!

    Wednesday, July 10, 2019 2:23 PM