Now that MVC has introduced HTML Encoding via <%: blah %> is there still value in using <%= AntiXSS.HTMLEncode(blah) %> instead? For Example: My application will take all content in (including JavaScript) and store it in it's raw state in the database. I was planning on simply outputting everything using something like <%: m...
How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files. Which one provides more security against XS...
Hello I'm using visual studio 2008 with asp.net mvc 2. I need anti xss library to santitize an input which is generated by rich text editor (lightweight RTE). I want to use AntiXss.GetSafeHtmlFragment(input); function. the problem is that VS 2008 crashes after I reference anti xss dll (it works fine in the first time but than it crashe...
According to old AntiXss article on MSDN AntiXss.UrlEncode is used to encode link href (Untrusted-input in the following example): <a href="http://search.msn.com/results.aspx?q=[Untrusted-input]">Click Here!</a> My understanding was, that UrlEncode should be used only when setting something to URL, like when setting document.locati...
The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided? For example Before applying AntiXSS: lblName.Text = "ABC" + "<script> alert('Inject'); </script"; After applying AntiXSS: lblName.Text = AntiXSS...
Seems like Microsoft updated the Anti XSS library today: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651 In addition there is a new release of the Web Protection Library http://wpl.codeplex.com/ Are these two downloads the same thing? What XSS library should I be using? Are there ot...
The reason why I ask is that I'm telling a vendor of ours they have to use the MS AntiXSS library with the ASP.NET UI components they make, but they also work with Flex to build Flash based UIs - and I was wondering if there's an equivalent for Flash (assuming it's vunerable). ...
I'm using the Microsoft AntiXss 3.1 library. We have a number of international sites which use non-Latin scripts. We're using SEO-friendly URL's, so we have non-ASCII characters that end up in the URL. AntiXss.UrlEncode (at least in 3.1) treats "international characters" as safe, so we end up with an IRI instead of a URI: http://somesi...