This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
.NET AntiXSS Library
From OWASP
Revision as of 02:37, 15 April 2014 by Jeff Knutson (talk | contribs)
(NOTE:) This content is a work in progress and all contribution is welcome. Please contact Jeff Knutson (User:Jeff Knutson) with questions, ideas, corrections, etc.
Overview
Cross site scripting (XSS) continues to show up on the as a top vulnerability.
Options
- Microsoft AntiXSS Library
- Available in ASP.NET 4.5 in the System.Web.Security.AntiXss namespace
- Available prior to ASP.NET 4.5 via NuGet: (https://www.nuget.org/packages/AntiXSS/) Install-Package AntiXSS (currently v4.2.1 as of 4/12/2014)
- Using Microsoft AntiXSS as the default encoder in ASP.NET instructions (Phil Haack has a good link on this already: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/)
- Microsoft Web Protection Library (WPL) - via http://wpl.codeplex.com/workitem/17246
- there seem to be known issues with this library: http://blog.securityps.com/2012/12/alternatives-to-microsofts-wpl-sanitizer.html
- OWASP Anti-Samy Library (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET)
- Not recently maintained (good option for to get it up to date and relevant!!!)
TODO
Now
- Look at the Microsoft implementations
- See what work has already been done in the OWASP space for XSS
- See what other work has been done for XSS (both .NET and other technology stacks)
- Illustrate vulnerabilities and how to mitigate them (e.g. WebGoat)
- See if we can get the OWASP Anti-Samy project back into relevance
Future
- Dream big here!
