AntiXSS Library v4.2.1

Rating:        Based on 25 ratings
Reviewed:  24 reviews
Downloads: 15592
Released: Jan 10, 2012
Updated: Jan 11, 2012 by bdorrans
Dev status: Stable Help Icon

Recommended Download

Documentation Whats New in 4.2
documentation, 46K, uploaded Jan 10, 2012 - 15592 downloads

Release Notes

Download from http://www.microsoft.com/download/en/details.aspx?id=28589
It is highly recommended you apply this new version as soon as possible.

If you downloaded v4.2 you may see an error due to filename changes - this has been fixed. Please install v4.2.1.

This release addresses a vulnerability in the HTML Sanitizer, MS12-007 http://technet.microsoft.com/en-us/security/bulletin/ms12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.

The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.

In addition to the change necessary to correct the vulnerability there are a few new features;
  • Minimum Requirements.
You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.
  • Invalid Unicode no longer throws an exception.
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.
  • UrlPathEncode added.
The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.
  • .NET 4.0 encoder support.
There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

Reviews for this release

     
Once you finally find this utility you find out that it's usefulness is pretty lacking. We deserve something better. Although anything would be better.
by Geiger on Apr 1 at 8:12 PM
     
After going through the code to see if it was possible to fix their implementation, it looks like it would be easier to simply start from scratch. This is a huge implementation which basically just strips all HTML, something that a RegEx could handle. Terrible.
by replaysMike on Sep 23, 2013 at 8:05 PM
     
Note, the older version can be installed via Nuget as described here: http://nuget.org/packages/AntiXSS/4.0.1
by jjorczak on Jun 26, 2013 at 2:37 PM
     
I used AntiXSS on my website for some years. First problem I got when the new version 4x changed the behaviour completely, which made the library useless to me. So I kept 3x. Next problem I got when the hoster moved my website to partial trust. AntiXSS.GetSafeHtmlFragment() requires full trust. That is nuts. So I removed AntiXSS completely.
by PeterHuber on Jun 18, 2013 at 3:21 AM
     
When will you fix the problems?
by juhhong on Jun 12, 2013 at 6:46 AM
     
Sanitizer.GetSafeHtmlFragment is too agressive and strips perfectly safe html, rendering it pretty much useless.
by pschrama72 on Apr 26, 2013 at 10:45 AM
     
The only safe HTML is Plain Text! Guys, you are the best!
by KalininAndrey on Jan 28, 2013 at 9:10 AM
     
Totally useless, destroyed our existing project and now I'm going to have to write a replacement and refactor the whole code base to replace GetSafeHtmlFragment with something that actually works. Thanks a bunch Microsoft!
by jaredfholgate on Aug 23, 2012 at 1:00 PM
     
What the release notes don't tell you is that: (1) The old version of the sanitizer is completely vulnerable to XSS attacks in IE, due to a CSS parsing error, and (2) this patch "fixes" it by removing all CSS and various other harmless tags and attributes (such as <b> tags and HREF attributes). If you intend to sanitize any kind of HTML at all, use something else.
by keithripley on Aug 1, 2012 at 9:57 AM
     
GetSafeHtmlFragment functionality is broken.
by Untit1ed on Jul 23, 2012 at 9:31 PM
     
Breaking basic functionality is bad. Not fixing it is worse. Not providing the source for others to fix your errors for you is tragic. Not providing older *working* versions is pretty much the death-knell of any project. Shame on you!
by RubenP on Jul 2, 2012 at 12:46 PM
     
Useless in its current form
by jlewin on Jun 15, 2012 at 5:12 PM
     
No source code released; lots of functionality broken with no satisfactory response from author. Previous versions of source code have been removed. This isn't open source, it's a random DLL that does something to your website. Hopefully it will be more secure. Good luck explaining the what's and why's to others.
by clamont on May 30, 2012 at 11:22 AM
     
Four months and counting, still no fix in place for properly processing Rich Text applications. Yet, no previous versions are available for use to fall back to. I have to rate this as Very Poor, because of the failed usability and the time it is taking to fix.
by Sothryn on May 17, 2012 at 4:40 PM
     
Wow - this thing is a total fail. I found this that helps a little bit --> http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
by asoong on May 3, 2012 at 8:03 PM
     
Too aggressive when it removes html elements and there is no docs about whether it's by design or just bugs
by zihotki on May 3, 2012 at 10:56 AM
     
This version regressed the usability of the library to the point of making it useless and hard to convince application owners in the asp.net world to incorporate such a tool. Instead we either have to rely on the older version, or look somewhere else. Unfortunately there doesn't seem to be urgency to fix it or even notify of a plan...
by simosentissi on May 2, 2012 at 3:16 PM
     
Strips all A and B tags, useless.
by BlueCode on May 1, 2012 at 7:42 AM
     
Totally broken. See http://wpl.codeplex.com/workitem/17246 or the other review comments for more details. What's worse is this has been released for 3 months now and nobody from the project team has bothered to fix or comment on what are clearly major issues with this release.
by brentonw on Apr 14, 2012 at 8:16 PM
     
Very poor. The updated HTML Sanitizer pretty much scrubs out HTML tables and bold text.
by janrex on Apr 10, 2012 at 5:58 AM
     
The HTML sanitizer in this release is pretty much worthless. See this issue for details: http://wpl.codeplex.com/workitem/17246 I've ended up using the HTML Agility Pack to parse the string into an HTML document and remove each node that is not part of a whitelist. http://stackoverflow.com/questions/3107514/html-agility-pack-strip-tags-not-in-whitelist
by briane on Apr 4, 2012 at 7:30 PM
     
breaks compatibility with WYSIWYG HTML editors.
by bchavez on Mar 11, 2012 at 3:52 PM
     
This release strips out all href tags in an anchor tag.
by mritchson on Feb 27, 2012 at 7:28 PM
     
The 4.2 is NOT backwards compatible with the previous releases. It's filtering is far too agressive and will also remove benign tags and attributes (including href) that will break any WYSIWYG formatting on your site. Terrible!
by eksith on Feb 15, 2012 at 11:18 PM