Microsoft Security Bulletin MS12-007– Vulnerability in AntiXSS Library Could Allow Information Disclosure

Today sees the release of AntiXSS v4.2 in order to address MS12-007. As AntiXSS is a developer tool developers need to download the latest version, test, then deploy the web sites using the library. nuget has also updated – if you’ve added AntiXSS via nuget you’ll need to update the package.

It is recommended you test and apply the new version as soon as possible.

The vulnerability only affects the HTML sanitizer. The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were expect CSS formatting to remain after sanitization this is no longer the case.

In addition to the change necessary to correct the vulnerability there are a few new features;

  • Minimum Requirements.
    You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.

  • Invalid Unicode no longer throws an exception.
    Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.

  • UrlPathEncode added.
    The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.

  • .NET 4.0 encoder support.
    There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.
    <httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

The nuget package does not swap out the encoder as nuget configuration transforms can’t be made framework version specific yet so you will have to do that manually. Source code will uploaded to codeplex within the next few days.

Remember that downloading the new version is not enough – you will need to update your projects to use the new version then publish them to your web servers.

This release has also merged code from the .NET framework, taking some of their hard work in integrating the core AntiXSS functions into v4.5. There are some performance improvements in encoding.

Skip to main content