In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss
which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382).
The latest version of AntiXssLibrary is 4.2.1.
I'm quite confused what type I should use for encoding output HTML in my new project: built in System.Web.Security.AntiXss.AntiXssEncoder
or Microsoft.Security.Application.AntiXssEncoder
from AntiXssLibrary. Could anyone tell me what type is preferred to use and why?
Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities. HtmlEncode(String, TextWriter)
AntiXSS is an encoding library which uses a safe list approach to encoding. It provides Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods to allow you to avoid Cross Site Scripting attacks. This library is part of the Microsoft SDL tools.
The one in the System.Web.* namespace is a clone of the one in the Microsoft.Security.* namespace, but the System.Web one is slightly tweaked for better performance characteristics. We recommend the System.Web one going forward.
If you set the <httpRuntime encoderType>
setting as described at http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382, then you can just use the built-in encoding routines like HttpUtility.HtmlEncode, and the implementation will be provided by the Anti-XSS libraries.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With