Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from: 

 

http://www.microsoft.com/downloads/details.aspx?familyid=9a2b9c92-7ad9-496c-9a89-af08de2e5982&displaylang=en

 

So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:

  • < 
  • > 
  • &
  • Characters with values 160-255 inclusive 

The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.

 

You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:

  • AntiXSSLibrary.HtmlEncode(string)
  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:

  • a-z (lower case)
  • A-Z (upper case)
  • 0-9 (Numeric values)
  • , (Comma)
  • . (Period)
  • _ (Underscore)
  • - (dash)
  • (Space)—Except for URLEncode

 This is a must load download!