Stack Overflow
Stack Overflow

Questions tagged [antixsslibrary]

The AntiXSS Library is a .NET assembly provided as part of the Web Protection Library, a Microsoft Open Source project. It provides various encoding functions for use in web applications. Encoding functions generally take un-trusted input and translate it into a format which is suitable for inclusion in output, minimizing the risk of injection attacks such as Cross Site Scripting. Its approach differs from the built-in encoders in the .NET framework in

The AntiXSS Library is a .NET assembly provided as part of the Web Protection Library, a Microsoft Open Source project. It provides various encoding functions for use in web applications. Encoding functions generally take un-trusted input and translate it into a format which is suitable for inclusion in output, minimizing the risk of injection attacks such as Cross Site Scripting.

Its approach differs from the built-in encoders in the .NET framework in that it uses a safe-list approach, rather than a limited black-list.

Installing AntiXSS can most easily be done using its NuGet package:

Install-Package AntiXSS
152 questions
51
votes
5 answers

What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?

I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why…
g .
  • 8,110
  • 5
  • 38
  • 48
50
votes
5 answers

How to use C# to sanitize input on an html page?

Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "" should become…
NotMe
  • 87,343
  • 27
  • 171
  • 245
22
votes
3 answers

Microsoft AntiXSS Alternative

Microsoft's AntiXSS library has been broken for 6 months and it looks abandoned (that may or may not officially be the case). Due to a security issue with previous versions, it is not safe to rollback to an earlier release. Are there any good…
JP.
  • 5,536
  • 7
  • 58
  • 100
19
votes
4 answers

Why use Microsoft AntiXSS library?

When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing? Also, in the Anti XSS library, where do I specify the whitelist?
Nick
  • 7,475
  • 18
  • 77
  • 128
18
votes
1 answer

System.Web.Security.AntiXss.AntiXssEncoder vs Microsoft.Security.Application.AntiXssEncoder

In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382). The latest version of AntiXssLibrary…
Alexander Simonov
  • 1,564
  • 1
  • 9
  • 15
17
votes
7 answers

Can't include Microsoft.Security.Application?

I can't include Microsoft.Security.Application using Microsoft.Security.Application; Gives this error: The type or namespace name 'Security' does not exist in the namespace 'Microsoft' (are you missing an assembly reference?) And yes, I clicked…
Danpe
  • 18,668
  • 21
  • 96
  • 131
15
votes
2 answers

Should I use the Anti-XSS Security Runtime Engine in ASP.NET MVC?

I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side…
Blegger
  • 4,272
  • 4
  • 30
  • 36
12
votes
4 answers

Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize…
Nick
  • 7,475
  • 18
  • 77
  • 128
11
votes
2 answers

Examples of XSS vulnerabilities that get by ASP.NET 4 <%: %> or Razor encoding but are caught by AntiXSS

I'm looking for an example of an XSS vulnerability that would be stopped just by using the AntiXSS Encoder 4.1 Beta as the runtime encoder (setting in system.web/httpRuntime). I would prefer something that doesn't require any explicit calls to…
Jon Galloway
  • 52,327
  • 25
  • 125
  • 193
10
votes
2 answers

What is the best way to store WMD input/markdown in SQL server and display later?

I'm looking at using WMD in my project instead of my existing RadEditor. I have been reading a few posts on how to store and retrieve the data, and I want to make sure I have the concept correct before proceeding. If my research is correct, here is…
Chase Florell
  • 46,378
  • 57
  • 186
  • 376
9
votes
3 answers

HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest

I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old. I have a page with the TinyMCE editor. Of…
vtortola
  • 34,709
  • 29
  • 161
  • 263
7
votes
1 answer

Anti XSS Library removing UL tag. Why?

I am using the Microsoft anti xss library and I noticed that for some reason it is removing the
    tag. I can't figure out why. For instance: string html = @"
    • this is a test
    "; string sanitized =…
chobo2
  • 83,322
  • 195
  • 530
  • 832
7
votes
2 answers

<%: %> vs Microsoft the anti XSS library

With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax. My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS…
dtc
  • 10,136
  • 16
  • 78
  • 104
7
votes
2 answers

Acceptable security: Disable ValidateRequest with Paramatised SQL and HTML Encoded Strings?

I'm trying to make sure my webforms ASP.NET application is as secure as possible, it receives and stores user input data to a SQL database (the usual stuff) only for users with a login, so not available to the general public. By disabling…
RemarkLima
  • 11,639
  • 7
  • 37
  • 56
6
votes
4 answers

Using MS Anti XSS library for sanitizing HTML

In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using…
Nick
  • 7,475
  • 18
  • 77
  • 128
1
2 3
10 11