SYSK 77: The Difference Between Microsoft.Security.Application.AntiXSSLibrary.HtmlEncode and System.Web.HttpUtility.HtmlEncode

As many of you may know, on Feb. 26 Microsoft has released Microsoft Application Security Anti-Cross Site Scripting Library.  The download is available at http://www.microsoft.com/downloads/details.aspx?familyid=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.

 

The question is, since we already have HtmlEncode method under System.Web.HttpUtility to combat XSS, why do we need anything else?  As it turns out, HttpUtility.HtmlEncode only escapes the known dangerous characters/strings; the new AntiXSSLibrary.HtmlEncode (and UrlEncode) only allows a small subset of known safe strings and escapes everything else.  This is a much safer way to go!

 

P.S. If you would like to better understand the dangers of Cross Site Scripting, read this great paper -- HTML Code Injection and Cross-site scripting (http://www.technicalinfo.net/papers/CSS.html).