SYSK 77: The Difference Between Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode and System.Web.HttpUtility.HtmlEncode
As many of you may know, on Feb. 26 Microsoft has released Microsoft Application Security Anti-Cross Site Scripting Library. The download is available at http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.
The question is, since we already have HtmlEncode method under System.Web.HttpUtility to combat XSS, why do we need anything else? As it turns out, HttpUtility.HtmlEncode only escapes the known dangerous characters/strings; the new AntiXSSLibrary.HtmlEncode (and UrlEncode) only allows a small subset of known safe strings and escapes everything else. This is a much safer way to go!
P.S. If you would like to better understand the dangers of Cross Site Scripting, read this great paper -- HTML Code Injection and Cross-site scripting (http://www.technicalinfo.net/papers/CSS.html).
Comments
- Anonymous
March 07, 2006
PingBack from http://www.devshare.net/2006/03/07/ms-anti-cross-site-scripting-library-v10/ - Anonymous
March 07, 2006
Microsoft just released its first version of the Anti-Cross Site Scripting Library V1.0. 
Irena... - Anonymous
January 22, 2007
Hello! I am Billy Johnson Nice design. Enjoy! Good site! OK. 0n79p7k .