What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at https://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  

The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script. The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors. Here’s the break down:

 

XSS Attack Vector	IOSEC	Anti-Cross Site Scripting Library
Html	X	X
URL	X	X
Html Attribute	X
JavaScript	X
Visual Basic Script	X

 

In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided. In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5. Check back soon for that release! 

 

Thanks,

 

Kevin Lam

Senior Security Technologist

Application Consulting & Engineering (ACE) Team