Saturday, 16 October 2010

AntiXSS 4.0

Microsoft Anti-Cross Site Scripting Library V4.0...

... has recently been released.

Microsoft's AntiXSS 4.0 is the latest release of an encoding library, built to help developers to protect ASP.NET web-based apps from cross-site scripting attacks. AntiXSS 4.0 uses a so-called "white list" technique, unlike most such encoding libraries; this defines an "allowable" character set, outside of which anything else gets encoded.

Now I hear you shout, "What are some of the most exciting features of the new version?" - and because I aim to please you, here is your appetizer:
  • Medium Trust Support has been provided, by the simple expedient of moving GetSafeHtml() and GetSafeHtmlFragment(), the HTML sanitizing methods which require full trust and unsafe code permissions, into their own separate "HtmlSanitizationLibrary" assembly. Everything else works just fine with medium trust.
  • You can now modify the safe list for HTML/XML encoding, based on the Unicode Code Charts for the languages your app typically expects to encounter in its working day.
  • Support for HTML 4.01 named entities, and for surrogate characters, have beed added.
  • HtmlFormUrlEncode - encodes according to W3C specs for application/x-www-form-urlencoded MIME type.
I hear too that LdapEncode has been split into LdapFilterEncode and LdapDistinguishedNameEncode, which operate according to RFC4515 and RFC2253 respectively; but I have no idea if the guy telling me that was on drugs or something. All I remember is that one used '\' and the other '#'...

As befits such a mission-critical tool, the Library is licensed under an open source licence, namely the Microsoft Public Licence, which can be seen at The Source is available on CodePlex.

No comments:

Post a Comment