Microsoft Release new Anti-XSS tool

Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from:


So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:

  • < 

  • > 

  • &

  • Characters with values 160-255 inclusive 

The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.


You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:

  • AntiXSSLibrary.HtmlEncode(string)

  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:

  • a-z (lower case)

  • A-Z (upper case)

  • 0-9 (Numeric values)

  • , (Comma)

  • . (Period)

  • _ (Underscore)

  • – (dash)

  • (Space)—Except for URLEncode

 This is a must load download!

Comments (11)

  1. Dan’s recent post reminded me that Microsoft has been doing some interesting work lately in the field of Anti-XSS. They have even released a new tool today called the Microsoft Anti-Cross Site Scripting Library V1.0 which can be used to provide comprehensive

  2. Luke says:

    If i install this on a machine with both .Net 2.0 and 1.1 it seems to only install the 2.0 Assembly.

    Is there a way i can get the 1.1 Assembly?

  3. 5 Tips for Enjoying the Software Development

    Profession [Via: ]

    ASP.NET 2.0 Wizard…

  4. MSDN Archive says:

    Hi Luke,

    I just found out the current binary of the Anti-XSS tool only supports .NET Fx 2.0.  However, they will be releasing a new binary shortly that will support .NET Fx 1.1 and 1.0

  5. In a recent post I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp; However,…

  6. In a recent&amp;nbsp;post&amp;nbsp;I mentioned that Microsoft released a new Anti-Cross Site Scripting Tool.&amp;nbsp;…

  7. To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest=&quot;true&quot;…