AntiXSS Library V3.0 – Test Harness

Hi, Anil Chintala here…

In this post I wanted to talk about the new Test Harness application which was released as part of the AntiXSS V3.0 Beta and is available as a free download on MSDN with source code available for download on CodePlex. Test Harness application is created to help the users to quickly get started and validate the successful blocking of XSS issues by the Library and also to measure the enhanced performance claims of the AntiXSS V 3.0 against Microsoft .NET encoding library.

AntiXSS Test Harness is a windows console application that automates the following two categories of tests - XSS validation and performance tests. When executed, AntiXSS Test Harness displays this console menu:


Performance Test Bench uses HtmlEncode() method as a benchmark for measuring performance of the AntiXSS library - AntiXss.HtmlEncoding(…) method against the .NET - HttpUtility.HtmlEncode(…) encoding method. Input strings with a combination of safe and un-safe characters are used as payload to run the automated performance tests.

Choosing Option#1, Performance Test Bench executes performance tests that analyze such metrics as:

  • Input string lengths

  • Encoded output strings

  • and the total time taken for its execution. 

During its run, Performance Test Bench compares the execution times of .NET's HttpUtility.HtmlEncode and AntiXss.HtmlEncode and stores in an output file containing results as displayed in this illustration:


XSS Validation Test Bench demonstrates the successful blocking of cross-site scripts. These tests use a list of XSS exploits as payload for running the automated tests. XSS exploit list are read from a text file, each payload is run through HTMLEncode() method of the library and the encoded output is stored in an output file.

When Option 2 is selected from the above console screen, Test Harness application executes the XSS validation tests and produces the following output file:


Test Harness Application provides a framework for automating the XSS validation and performance evaluation. Primary objective is to help developers and testers to quickly get started and test AntiXSS library for XSS validation and performance. With the availability of source code on CodePlex it also allows advanced users to extend the automated testing capabilities as per your specific requirements.

Thanks and more later…

Comments (4)
  1. I meant to post on this earlier. Performing HTML entity encoding on all of RSnake’s attack vectors is just plain silly. You might as well run it on Moby Dick. A better approach would be to actually go through the vectors and apply exactly the right encoding for each context. BTW, does AntiXSS pass these –

  2. Anonymous says:

    Can you please let us know how to use the ddl:s on a host with medium trust? We have coded stuff that works great on our local machines, but we have not managed to run this in partial trust.

    Yes we have tried to compile it our self with AllowPartiallyTrustedCallers, but it does not work.

    Also posted the question here:

  3. Anonymous says:

    I really would like to use the AntiXSS but have not yet been able to run it on medium trust. I found some people who also wonder how to do it and nobody have a solution.

    I also posted the question on CodePlex some time ago. Any help with this would be great.

  4. Anonymous says:

    Our mission in Information Security is to enable secure & reliable business . In going about our

Comments are closed.

Skip to main content