AntiXSS Library v4.2.1

Rating:        Based on 26 ratings
Reviewed:  25 reviews
Downloads: 16218
Released: Jan 10, 2012
Updated: Jan 11, 2012 by bdorrans
Dev status: Stable Help Icon

Recommended Download

Documentation Whats New in 4.2
documentation, 46K, uploaded Jan 10, 2012 - 16218 downloads

Release Notes

Download from
It is highly recommended you apply this new version as soon as possible.

If you downloaded v4.2 you may see an error due to filename changes - this has been fixed. Please install v4.2.1.

This release addresses a vulnerability in the HTML Sanitizer, MS12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.

The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.

In addition to the change necessary to correct the vulnerability there are a few new features;
  • Minimum Requirements.
You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.
  • Invalid Unicode no longer throws an exception.
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.
  • UrlPathEncode added.
The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.
  • .NET 4.0 encoder support.
There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Reviews for this release

this is peace of shit, it removes <b> tags!! I can see too many developers saying the same thing.. why do you ignore them!?
by WasimAlatrash on May 16, 2014 at 10:00 PM
Once you finally find this utility you find out that it's usefulness is pretty lacking. We deserve something better. Although anything would be better.
by Geiger on Apr 1, 2014 at 9:12 PM
After going through the code to see if it was possible to fix their implementation, it looks like it would be easier to simply start from scratch. This is a huge implementation which basically just strips all HTML, something that a RegEx could handle. Terrible.
by replaysMike on Sep 23, 2013 at 9:05 PM
Note, the older version can be installed via Nuget as described here:
by jjorczak on Jun 26, 2013 at 3:37 PM
I used AntiXSS on my website for some years. First problem I got when the new version 4x changed the behaviour completely, which made the library useless to me. So I kept 3x. Next problem I got when the hoster moved my website to partial trust. AntiXSS.GetSafeHtmlFragment() requires full trust. That is nuts. So I removed AntiXSS completely.
by PeterHuber on Jun 18, 2013 at 4:21 AM
When will you fix the problems?
by juhhong on Jun 12, 2013 at 7:46 AM
Sanitizer.GetSafeHtmlFragment is too agressive and strips perfectly safe html, rendering it pretty much useless.
by pschrama72 on Apr 26, 2013 at 11:45 AM
The only safe HTML is Plain Text! Guys, you are the best!
by KalininAndrey on Jan 28, 2013 at 10:10 AM
Totally useless, destroyed our existing project and now I'm going to have to write a replacement and refactor the whole code base to replace GetSafeHtmlFragment with something that actually works. Thanks a bunch Microsoft!
by jaredfholgate on Aug 23, 2012 at 2:00 PM
What the release notes don't tell you is that: (1) The old version of the sanitizer is completely vulnerable to XSS attacks in IE, due to a CSS parsing error, and (2) this patch "fixes" it by removing all CSS and various other harmless tags and attributes (such as <b> tags and HREF attributes). If you intend to sanitize any kind of HTML at all, use something else.
by keithripley on Aug 1, 2012 at 10:57 AM
GetSafeHtmlFragment functionality is broken.
by Untit1ed on Jul 23, 2012 at 10:31 PM
Breaking basic functionality is bad. Not fixing it is worse. Not providing the source for others to fix your errors for you is tragic. Not providing older *working* versions is pretty much the death-knell of any project. Shame on you!
by RubenP on Jul 2, 2012 at 1:46 PM
Useless in its current form
by jlewin on Jun 15, 2012 at 6:12 PM
No source code released; lots of functionality broken with no satisfactory response from author. Previous versions of source code have been removed. This isn't open source, it's a random DLL that does something to your website. Hopefully it will be more secure. Good luck explaining the what's and why's to others.
by clamont on May 30, 2012 at 12:22 PM
Four months and counting, still no fix in place for properly processing Rich Text applications. Yet, no previous versions are available for use to fall back to. I have to rate this as Very Poor, because of the failed usability and the time it is taking to fix.
by Sothryn on May 17, 2012 at 5:40 PM
Wow - this thing is a total fail. I found this that helps a little bit -->
by asoong on May 3, 2012 at 9:03 PM
Too aggressive when it removes html elements and there is no docs about whether it's by design or just bugs
by zihotki on May 3, 2012 at 11:56 AM
This version regressed the usability of the library to the point of making it useless and hard to convince application owners in the world to incorporate such a tool. Instead we either have to rely on the older version, or look somewhere else. Unfortunately there doesn't seem to be urgency to fix it or even notify of a plan...
by simosentissi on May 2, 2012 at 4:16 PM
Strips all A and B tags, useless.
by BlueCode on May 1, 2012 at 8:42 AM
Totally broken. See or the other review comments for more details. What's worse is this has been released for 3 months now and nobody from the project team has bothered to fix or comment on what are clearly major issues with this release.
by brentonw on Apr 14, 2012 at 9:16 PM
Very poor. The updated HTML Sanitizer pretty much scrubs out HTML tables and bold text.
by janrex on Apr 10, 2012 at 6:58 AM
The HTML sanitizer in this release is pretty much worthless. See this issue for details: I've ended up using the HTML Agility Pack to parse the string into an HTML document and remove each node that is not part of a whitelist.
by briane on Apr 4, 2012 at 8:30 PM
breaks compatibility with WYSIWYG HTML editors.
by bchavez on Mar 11, 2012 at 4:52 PM
This release strips out all href tags in an anchor tag.
by mritchson on Feb 27, 2012 at 8:28 PM
The 4.2 is NOT backwards compatible with the previous releases. It's filtering is far too agressive and will also remove benign tags and attributes (including href) that will break any WYSIWYG formatting on your site. Terrible!
by eksith on Feb 16, 2012 at 12:18 AM