AntiXSS is a .NET library which provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript. AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.


What’s new in 4.0


Return values

If you pass a null as the value to be encoding to an encoding function the function will now return null. Previous behaviour was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. You can now choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will always be encoded

Invalid Unicode character detection

If any of the HTML, XML or CSS encoding methods encounters a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities is set to true © would be encoded as ©.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value.

If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via HtmlFormUrlEncode(string input). This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, LdapFilterEncode and LdapDistinguishedNameEncode.

LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character.

LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string. An override is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

In addition to the RFC mandated escaping the safe list excludes the characters listed at http://projects.webappsec.org/LDAP-Injection.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.


Minimum Requirements


AntiXSS 4.0 requires .NET Framework v3.5.

In addition if you wish to compile from source you will need Visual Studio 2010.


Installer


You can access the installer via the AntiXSS toolbox entry at

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651


Source and license


The source for AntiXSS 4.0 will be available on CodePlex at http://wpl.codeplex.com/

The software is licensed under the MS-Pl and no contributions have been taken from the community.