... has recently been released.
Microsoft's AntiXSS 4.0 is the latest release of an encoding library, built to help developers to protect ASP.NET web-based apps from cross-site scripting attacks. AntiXSS 4.0 uses a so-called "white list" technique, unlike most such encoding libraries; this defines an "allowable" character set, outside of which anything else gets encoded.
Now I hear you shout, "What are some of the most exciting features of the new version?" - and because I aim to please you, here is your appetizer:
- Medium Trust Support has been provided, by the simple expedient of moving GetSafeHtml() and GetSafeHtmlFragment(), the HTML sanitizing methods which require full trust and unsafe code permissions, into their own separate "HtmlSanitizationLibrary" assembly. Everything else works just fine with medium trust.
- You can now modify the safe list for HTML/XML encoding, based on the Unicode Code Charts for the languages your app typically expects to encounter in its working day.
- Support for HTML 4.01 named entities, and for surrogate characters, have beed added.
- HtmlFormUrlEncode - encodes according to W3C specs for application/x-www-form-urlencoded MIME type.
As befits such a mission-critical tool, the Library is licensed under an open source licence, namely the Microsoft Public Licence, which can be seen at http://www.microsoft.com/opensource/licenses.mspx. The Source is available on CodePlex.