This project is read-only.

AntiXSS is now End of Life

In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder.

As such the standalone versions of AntiXSS should be considered end of life.

The source and installers will remain online allow people using earlier versions of .NET to enable an alternative, whitelist based encoded but no further enhancements, outside of security fixes, will be made.

Download from nuget or the Microsoft Download Center


AntiXSS provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.
  • White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.
  • Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
AntiXSS was merged into the .NET framework in v4.0. We recommend you use the bundled version, however we continue to make a standalone version available for older frameworks.

Security Runtime Engine

The Security Runtime Engine (SRE) provided a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard for
  • Cross Site Scripting
  • SQL Injection
The SRE was meant as a defense in depth strategy, adding an bandage around your application until you could update the underlying code to provide encoding and SQL injection protection. It is no longer provided as a download and it's use is not recommended, but source is available for those wanting to continue to use it or enhance it.

Last edited Nov 13, 2015 at 6:34 PM by bdorrans, version 10