AntiXSS with a web forms project in 4.5

Nov 11, 2014 at 3:13 PM
I am trying to implement anti XSS support in a web forms app running on .net 4.5 but I am a little confused. I want to sanitise data on input and encode data on output. My understanding is that, out of the box, the default input filtering in the .net framework uses a black list, but that a white list approach is more favourable.

I’ve read that using the Microsoft AntiXSS / Web protection Library is the recommended approach, however I’m unsure as to what’s involved with implementing it. I’ve read numerous articles on the subject and some imply that by merely including an entry in your config file will replace the default filtering/encoding with the more robust AntiXSS version, meaning the enhanced filtering/encoding is then done automatically. Is this true and if so, is there an easy way to test it to prove the new library is being used?
Nov 11, 2014 at 4:18 PM
AntiXSS doesn't really do input sanitization. It has an HTML sanitizer, but it's old and not supported any more.

It will support output encoding, which will protect you when input filtering fails, which frankly is pretty often, as everyone's idea of what's suitable input is particular to their own app. The config support is only to swap out output encoders.