Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

System.Web.Security.AntiXss.AntiXssEncoder vs Microsoft.Security.Application.AntiXssEncoder

In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382).

The latest version of AntiXssLibrary is 4.2.1.

I'm quite confused what type I should use for encoding output HTML in my new project: built in System.Web.Security.AntiXss.AntiXssEncoder or Microsoft.Security.Application.AntiXssEncoder from AntiXssLibrary. Could anyone tell me what type is preferred to use and why?

like image 878
Alexander Simonov Avatar asked Aug 12 '13 11:08

Alexander Simonov


People also ask

What is AntiXssEncoder?

Encodes the specified string for use as text in HTML markup and optionally specifies whether to use HTML 4.0 named entities. HtmlEncode(String, TextWriter)

What is the use of AntiXSS library?

AntiXSS is an encoding library which uses a safe list approach to encoding. It provides Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods to allow you to avoid Cross Site Scripting attacks. This library is part of the Microsoft SDL tools.


1 Answers

The one in the System.Web.* namespace is a clone of the one in the Microsoft.Security.* namespace, but the System.Web one is slightly tweaked for better performance characteristics. We recommend the System.Web one going forward.

If you set the <httpRuntime encoderType> setting as described at http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382, then you can just use the built-in encoding routines like HttpUtility.HtmlEncode, and the implementation will be provided by the Anti-XSS libraries.

like image 168
Levi Avatar answered Sep 19 '22 16:09

Levi