Anti-Cross Site Scripting Library
AntiXSS helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine. Working with customer and partner feedback, AntiXSS incorporates radically and innovatively rethought features, offering you a newer, more powerful weapon against the often employed cross-site scripting (XSS) attack. AntiXSS gives you:
A Solid Foundation for Developers
Anti-XSS is a powerful tool in the Microsoft toolbox that mitigates XSS risks. Additionally, Anti-XSS provides a consistent level of security allowing you to focus on solving business problems and not on security problems.
No matter your development experience level, its online documentation, example code, unit tests, and calling schemes make it easy for you to know how to protect your applications from XSS attacks. Additionally, a performance data sheet helps you plan your secure deployment with full knowledge of how AntiXSS will likely perform in your environment.
Frequently Asked Questions
Q. I am currently using the .NET Framework System.Web.HttpUtility.HtmlEncode and other encoding methods in this class to encode output. Does the Microsoft Anti-Cross Site Scripting Library address a vulnerability in these methods? Are the encoding methods provided in the .NET Framework safe to use?
A. The encoding methods native to the .NET Framework are safe to use and no vulnerability is being addressed by this release of the Microsoft Anti-Cross Site Scripting Library. The Microsoft Anti-Cross Site Scripting Library differs from these methods in that it uses the principle of inclusions technique, which first defines a set of valid characters so that anything outside that set is automatically encoded.
Q. If I encode un-trusted input with System.Web.HttpUtility.HtmlEncode will this avoid Cross Site Scripting in all scenarios?
A. No, this is because System.Web.HttpUtility.HtmlEncode take a different approach than the one used by the Microsoft Anti-Cross Site Scripting Library (principle of inclusions) and encode only certain characters designated as potentially dangerous such as <, >, &, ' and characters with ASCII decimal values of 160-255. Anti-XSS library encodes character outside the range of an extensive whitelist which includes characters through A to Z, 0 to 9, space and other Unicode characters. Thus Anti-XSS Library can protect applications from cross site scripting attacks in most of the scenarios.
Q. When I use Microsoft.Security.Application.AntiXss.UrlEncode to encode the input http://www.microsoft.com/security/ I get back http%3a%2f%2fwww.microsoft.com%2fsecurity%2f. When I place this into an A tag (i.e <a href='http%3a%2f%2fwww.microsoft.com%2fsecurity%2f'>Click me</a>), the link doesn't work. What's happening?
A. The UrlEncode method is meant to be used to encode un-trusted data used in the context of URLs (for instance, if the un-trusted data is being used as a value within a query string) and not the URL itself. If the URL itself is the un-trusted input, then you could perform input validation using regular expressions to validate the URL.
Q. Can I encode the input and store it in a data store?
Q. Is there a discussion forum for this library?
A. Yes, please visit http://antixss.codeplex.com/Thread/List.aspx.
Q.The ASP.NET server controls (like TextBox, BulletedList, and so on) use the existing encoding methods in the .NET Framework. Why should I use the methods in the Anti-Cross Site Scripting Library when my server controls use the methods from the .NET Framework? Is there any way to force the server controls to use the methods from the Anti-Cross Site Scripting Library?
A. There currently is no way to force existing server controls to use the Anti-Cross Site Scripting Library. ASP.NET server controls that encode using methods from the Anti-Cross Site Scripting Library will be provided in future releases of this library.
Q.Are there any additional resources I can read to learn how to protect my Web applications against XSS attacks?
A. Yes, please refer to the following resources from the patterns & practices teams: