Anti-XSS library - mike's web log

About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 35 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search

(Supports AND)

Include comments

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

A mature person is one who does not think only in absolutes, who is able to be objective even when deeply stirred emotionally, who has learned that there is both good and bad in all people and in all things, and who walks humbly and deals charitably with the circumstances of life, knowing that in this world no one is all knowing and therefore all of us need both love and charity.

— Eleanor Roosevelt

[ view all quotations ]

Navigation

[ home ]

January 2025

25 Most-Visited Entries

1. THE most basic way to implement ASP.NET Razor security
2. Fun (or not) with noun stacks
3. Rendering HTML as HTML in Razor
4. Using the confirmation feature for ASP.NET Web Pages security
5. Changing the headlight on a 2010 Honda Shadow Phantom
6. RSS feed truncation: reader's choice
7. When in English, do like English
8. Constructing site URLs in ASP.NET Razor
9. Dude, where's my Razor API ref?
10. WebMatrix Beta 2 tip: why can't I use helpers?
11. Documenting ASP.NET Razor
12. Anniversaries in IT
13. Tech review tips and strategies (Part 1)
14. Moving a website in WebMatrix
15. Finding the right trousers
16. Blog update: Added a Facebook Like button
17. How Feynman learned to crack a safe
18. Blog feed fixed, oops
19. Moving the blog
20. Blog move successful (?)
21. Geopolitical concerns and the 4 fingers of ... change
22. Theory And Practice Of Editing New Yorker Articles [Selections]
23. Each unique different kind of its own
24. Well, THAT happened
25. SME + training doth not (necessarily) a writer make

Categories

RSS
RSS aspnet
RSS blog
RSS books
RSS editing
RSS family
RSS Friday words
RSS FridayFun
RSS funny
RSS general
RSS history
RSS house
RSS language
RSS motorcycles
RSS movies
RSS MS Word
RSS music
RSS personal
RSS politics
RSS readings
RSS roundup
RSS seattle
RSS teaching
RSS technology
RSS travel
RSS ukulele
RSS webmatrix
RSS whidbey
RSS work
RSS writing

Contact Me

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 9/4/2024

Totals
Posts - 2655
Comments - 2677
Hits - 2,721,679

Averages
Entries/day - 0.34
Comments/entry - 1.01
Hits/day - 346

Updated every 30 minutes. Last: 9:56 AM Pacific

Anti-XSS library

Saturday, 25 February 2006 05:03 PM

Someone at Microsoft has posted improved versions of HtmlEncode and UrlEncode in what they call the "Microsoft Anti-Cross Site Scripting Library V1.0." The library includes two methods that are essentially the same as the corresponding methods in HtmlServerUtility:

public static string HtmlEncode(string s);
public static string UrlEncode(string s);

Thus:

String s = Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode(TextBox1.Text);

The difference between the HtmlUtility and the Anti-XSS library versions of the methods is that the former encodes only a specific a set of characters, whereas the new version encodes everything but a specific set of characters. IOW, the former uses a blacklist, the latter a whitelist. In security terms, this means the new version is that much harder to get around.

(All of this information lifted directly from the docs and samples included with the library.)

To use the new library, download the .msi from the download page and run it. The installer puts the library by default at x:\Program Files\microsoft\Anti-Cross Site Scripting Library V1.0. The installation includes some minimal docs, some samples, and an assembly containing the class. The easiest way to use it, probably, is to copy the assembly to the Bin folder of any app where you want to use it. Have a look at the .rtf file in the Documentation folder for a little more information than what's listed here.

Via Mike Gunderloy.

[categories] aspnet, whidbey

comment [6] | link