1. Original Entry + Comments2. Write a Comment3. Preview Comment
New comments for this entry are disabled.

February 25, 2006  |  Anti-XSS library  |  10742 hit(s)

Someone at Microsoft has posted improved versions of HtmlEncode and UrlEncode in what they call the "Microsoft Anti-Cross Site Scripting Library V1.0." The library includes two methods that are essentially the same as the corresponding methods in HtmlServerUtility:
public static string HtmlEncode(string s);
public static string UrlEncode(string s);
String s = Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode(TextBox1.Text);
The difference between the HtmlUtility and the Anti-XSS library versions of the methods is that the former encodes only a specific a set of characters, whereas the new version encodes everything but a specific set of characters. IOW, the former uses a blacklist, the latter a whitelist. In security terms, this means the new version is that much harder to get around.

(All of this information lifted directly from the docs and samples included with the library.)

To use the new library, download the .msi from the download page and run it. The installer puts the library by default at x:\Program Files\microsoft\Anti-Cross Site Scripting Library V1.0. The installation includes some minimal docs, some samples, and an assembly containing the class. The easiest way to use it, probably, is to copy the assembly to the Bin folder of any app where you want to use it. Have a look at the .rtf file in the Documentation folder for a little more information than what's listed here.

Via Mike Gunderloy.

Jeff Atwood   26 Feb 06 - 9:27 PM

Ah, cool, I was wondering what exactly that would do for me. Makes sense.

Willi Winzig   28 Feb 06 - 3:29 AM

But why the hell the installer requires .NET Framework 1.0.0!!!

mike   28 Feb 06 - 9:00 PM

Hi, Willi -- the installation should be good for ASP.NET 2.0. (There was some confusion initially about the versioning -- the version on the site right this second is for ASP.NET 2.0, with the assemblies for 1.0 and 1.1 to come shortly.)

Did you get an error telling you that it requires 1.0? Because that would be quite weird ...

mike lorengo   02 Mar 06 - 10:09 AM

A minor but anal point, is why they don't follow the naming convention of Xss so that it's AntiXssLibrary instead of AntiXSSLibrary...

mike   02 Mar 06 - 10:13 AM

mike -- good point. Hadn't thought about that, probably because I tend to do most stuff in VB. But you're right, that's not conformant ...

Anonymous   29 Mar 06 - 6:10 PM

Whilst Anti-XSS library is good, they need to add a decode method which will also repopulate the QueryString property on HttpRequest so that encoded data can be decoded and accessed.