How to install in MVC

May 24, 2012 at 4:57 PM

How do you install this for use in an MVC3 application?

I used NuGet to add the package.  However I didn't see where it did anything to the web.config.


  Are you suppose to make your own encoder and put something in web.config like Haack posted a few years ago?  I saw another post that said you don't need to now.

If you use Haack's code you get warnings:

'Microsoft.Security.Application.AntiXss' is obsolete: '"This class has been deprecated. Please use Microsoft.Security.Application.Encoder instead."' 




May 24, 2012 at 7:01 PM
Edited May 24, 2012 at 7:01 PM

It is build in now, but it's only supported in .NET 4.0.

You can enable it with the following config line; 

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

You'll need to ensure you're linking to the .NET 4 version of the library.