views:

110

answers:

2

Seems like Microsoft updated the Anti XSS library today:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651

In addition there is a new release of the Web Protection Library

http://wpl.codeplex.com/

Are these two downloads the same thing? What XSS library should I be using?
Are there others I should consider?

A: 

It is the same thing. WPL includes AntiXSS and Security Runtime Engine.

I'm using Microsoft AntiXSS library with my MVC2 application. It integrates nicely and requires no code changes in the views.

Jakub Konecki
+2  A: 

Well, as the WPL owner these days I know it's a little confusing, so

The WPL contains two projects, AntiXSS and the Security Runtime Engine. Previous versions installed both, but really they're quite separate and the SRE is an ongoing project which is getting a major rewrite, so rather than hold up the latest changes to AntiXSS whilst I pottered around some more with the SRE we made the decision to split them out, and ship separately.

So right now AntiXSS 4.0 on msdownloads is the most up to date encoding library.

As part of the source push the latest source for the SRE will be pushed as well - however the SRE is still a work in progress, and will remain so for some time, so it'll be source only for a while.

We're still trying to figure out how best to address this in terms of codeplex projects :)

blowdart