AntiXSS 4.0 released, makes cross site attacks a thing of the past

Version 4.0 of Microsoft's AntiXSS, part of the Web Protection Library (WPL), has now been released.

The AntiXSS component provides an encoding library for developers to effectively combat cross-site scripting and injection attacks in ASP.NET applications. It does this by allowing developers to filter all user input in various formats, such as HTML, XML, CSS and JavaScript. Its main differentiating feature is that it works on a whitelisting approach, where only recognised characters are permitted and the rest encoded, which provides enhanced suppot over the inverse approach.

Version 4 features a range of new features and improvements, including the ability to be used in Medium Trust environments; the ability to adjust the "safe lists" for HTML and XML encodings to give users more control over the filtering; invalid Unicode characters will be detected more accurately; and there is better support for Unicode surrogate character pairs as well as HTML 4.01 named entities. In addition to this, there are also some bug fixes and performance improvements in the component.

A binary installer for AntiXSS 4.0 is available now, and the source code is expected to arrive on Codeplex either late this week or early next. There's more information over on the Security Tools blog.

You might also like...



Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Brevity is the soul of wit” - Shakespeare