AntiXSS v3.1 new features

  • Article

Syed Aslam Basha here from the Information Security Tools team.

In AntiXSS library, two new methods AntiXss.GetSafeHtml and AntiXss.GetSafeHtmlFragment have been added, useful to sanitize the HTML input. These methods are useful in scenarios where the user enters HTML input and likes to store or display it back as HTML. The methods validate the input and strips off any harmful scripts and returns safe output to be stored or displayed on the browser. Internally these methods make use of HtmlToHtml class.

Example,

    1: Response.Write(AntiXss.GetSafeHTml(Textbox1.Text));

In the above example, if the input to textbox1 is <a href=https://blogs.msdn.com/syedab/default.aspx>myblog <script> alert('Inject Script'); </script>

The harmful script sections are stripped off and the output returned is <html> <body> myblog </body> </html>.

Apart from sanitization missing tags are also be added.

Likewise, use of AntiXss.GetSafeHtmlFragment for the above will result in myblog 

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead