Partager via

Microsoft Anti-Cross Site Scripting Library V1.0 Available

  • Article

I like this class library because it looks for "good things" and not "bad things."  

The most common method of mitigating XSS issues is to use functions like HtmlEncode that look for "bad things" and escape them. But this library does the right thing - it looks only for good things (a very small set), and escapes everything else.

There are only two methods:

AntiXSSLibrary.HtlmEncode and AntiXSSLibrary.UrlEncode

Very cool... and very simple.

Comments

  • Anonymous
    February 27, 2006
    The link does not give any details on what the library is doing exactly. How is that different from the HtmlEncode and UrlEncode that are built-in ASP.NET?
  • Anonymous
    March 06, 2006
    Awesome.  Thanks for sharing, we might need something like this.
  • Anonymous
    March 06, 2006
    Michael, ironically the install demands .NET 1.0 (!) while the download description says "Current MSI includes only 2.0 binaries".

    Do you think someone can repackage the distro not to demand an old version of .NET? :)

    Pardon my ignorance, but since when does Windows Installer expect a certain version of .NET?
  • Anonymous
    March 06, 2006
    I could not download the library,
    Could you please add another working link,
    Thanks for your support,
  • Anonymous
    March 07, 2006
    Apparently I can't download it. broken link?
  • Anonymous
    March 10, 2006
    The comment has been removed
  • Anonymous
    March 10, 2006
    The comment has been removed
  • Anonymous
    March 11, 2006
    Thanks Michael for the post.  If you had trouble downloading, please try again, it should work fine.  For those who had questions, please watch our blog (http://blogs.msdn.com/ace_team)We'll be posting details on this library there in the next day or two along with some additional details.  

    Ahmad [MSFT]
  • Anonymous
    March 13, 2006
    The comment has been removed
  • Anonymous
    March 13, 2006
    to be honest, "does it the way it should be done securely" is probably more accurate!

    One of the course lessons about security is never "looking for bad things" and you could argue that's what HttpUtility does. It looks for bad things and escapes them. the Anti-Xss code looks only for good things, and escapes everything but the known good things.
  • Anonymous
    March 15, 2006
    Everyone thinking of using this tool in a production or non-demo environment needs to read the EULA. To quote Section 1:

    You may install and use any number of copies of the software on your devices.  You may use the software only to demonstrate and internally evaluate it.

    You may not use the software in a live operating environment unless Microsoft permits you to do so under another agreement.


  • Anonymous
    March 20, 2006
    Regarding the EULA, that's the standard EULA we use for an 'unsupported' tool -- so that might bewhere the confusion is coming from.  That said, we'll still field questions about the tool if you email acetools@microsoft.com. Thanks,

    Kevin
  • Anonymous
    March 24, 2006

    Interesting. Actually, there was a configuration specific issue with htmlencode detected (August 2004):

    http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml

    Probably not well known, and mostly ignored, due to its specific configuration to be exploitable. Still, it shows the advantages of  the new toolkit approach.


  • Anonymous
    April 18, 2006
    Time for another ASP.NET roundup post...so here goes:

    The first one is a biggie...the ASP.NET team...
  • Anonymous
    November 20, 2006
    Earlier this year I wrote a blog post about Anti-XSS Library v1.0. Well, it's been updated with new methods