22

Microsoft's AntiXSS library has been broken for 6 months and it looks abandoned (that may or may not officially be the case). Due to a security issue with previous versions, it is not safe to rollback to an earlier release. Are there any good actively developed alternatives for AntiXSS and web security in general when working with the Microsoft (specifically MVC) stack?

JP.
  • 5,536
  • 7
  • 58
  • 100
  • Why is the Razor view engine XSS protection not sufficient? – Leon Cullens Jul 01 '12 at 22:00
  • 1
    @LeonCullens it is not sufficient for cases where users are allowed upload html content - like when using tinymce or another rich text editor. – JP. Jul 01 '12 at 22:03
  • Ah alright. I'm afraid I can't help with that :-) – Leon Cullens Jul 01 '12 at 22:03
  • I'm giving Kenneth the bounty as it was the first solution that I hadn't come across before (and the first indication that MSFT may *be aware of* the AntiXSS issue). Charlino, your idea is a good one, but would require a lot of code modification and wouldn't allow freedom to use different editors. Chris Piechottia I've also looked into OWASP before but haven't found an up-to-date .NET solution. Thumbs up and thanks to everyone. I'm leaving the question open in case a better solution is found.. – JP. Jul 08 '12 at 21:53
  • @JP. Think it's time to award the answer? ; ) – Kenneth Ito Jan 15 '16 at 22:22

3 Answers3

5

There's a new xss sanitizer shipping with the June 2012 release of the ajax control toolkit. The toolkit was originally using the microsoft anti xss library as well, so they experienced the same problems. The new sanitizer is based off the HtmlAgilityPack

See http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx

Kenneth Ito
  • 5,201
  • 2
  • 25
  • 44
3

I have the same issue and I've been looking high and low for a solution but haven't found anything else out there.

Basically, I think the only option moving forward is to use some flavour of WMD (like they do here on Stackoverflow)... send it back to the server as WMD markup then save it in the database as HTML and then convert it html when spitting it out on the page on the server.

This could be a good start: http://code.google.com/p/pagedown/

Charlino
  • 15,802
  • 3
  • 58
  • 74
0

There is a unofficial port of WPL called AntiXSS.NetStandard that support AntiXSS in .NET Standard 2.0 (.NET Core 2.0+, .NET Framework 4.6.1).

Will Huang
  • 2,955
  • 2
  • 37
  • 90