Version 4.0 of Microsoft's AntiXSS, part of the Web Protection Library (WPL), has now been released.
The AntiXSS component provides an encoding library for developers to effectively combat cross-site scripting and injection attacks in ASP.NET applications. It does this by allowing developers to filter all user input in various formats, such as HTML, XML, CSS and JavaScript. Its main differentiating feature is that it works on a whitelisting approach, where only recognised characters are permitted and the rest encoded, which provides enhanced suppot over the inverse approach.
Version 4 features a range of new features and improvements, including the ability to be used in Medium Trust environments; the ability to adjust the "safe lists" for HTML and XML encodings to give users more control over the filtering; invalid Unicode characters will be detected more accurately; and there is better support for Unicode surrogate character pairs as well as HTML 4.01 named entities. In addition to this, there are also some bug fixes and performance improvements in the component.
A binary installer for AntiXSS 4.0 is available now, and the source code is expected to arrive on Codeplex either late this week or early next. There's more information over on the Security Tools blog.
Comments