Microsoft Release new Anti-XSS tool

Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0.  Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.  You can download the tool from:


So what was wrong with using System.Web.HttpUtility.HtmlEncode?  The problem with HttpUtility class is it was based upon deny-list approach—in which I mentioned an earlier blog on the down fall with this approach—versus a Accept-only approach.  As a result of the deny-list approach the HttpUtility.HtmlEncode as only good against the following characters:

  • <


  • >


  • &

  • Characters with values 160-255 inclusive


The Microsoft Anti-XSS tool follows an Accept-only approach in which this tool looks for a finite set of valid input and everything else is considered invalid.  This approach will provide a more comprehensive protection to XSS and reduce the ability to trick HttpUtility.HtmlEncode with canonical representations attacks.


You will find that the Anti-XSS tool works much like HttpUtility.HtmlEncode:

  • AntiXSSLibrary.HtmlEncode(string)
  • AntiXSSLibrary.URLEncode(string)

Now all characters will be encoded except for:

  • a-z (lower case)
  • A-Z (upper case)
  • 0-9 (Numeric values)
  • , (Comma)
  • . (Period)
  • _ (Underscore)
  • - (dash)
  • (Space)—Except for URLEncode


This is a must load download!