AntiXSS is now End of Life
In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder.
As such the standalone versions of AntiXSS should be considered end of life.
The source and installers will remain online allow people using earlier versions of .NET to enable an alternative, whitelist based encoded but no further enhancements, outside of security fixes, will be made.
- White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has
been written with performance in mind.
- Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
AntiXSS was merged into the .NET framework in v4.0. We recommend you use the bundled version, however we continue to make a standalone version available for older frameworks.
Security Runtime Engine
The Security Runtime Engine (SRE) provided a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for
- Cross Site Scripting
- SQL Injection
The SRE was meant as a defense in depth strategy, adding an bandage around your application until you could update the underlying code to provide encoding and SQL injection protection. It is no longer provided as a download and it's use is not recommended,
but source is available for those wanting to continue to use it or enhance it.