Microsoft's Open Source Anti-Cross Site Scripting Library

by Peter Galli on June 11, 2010 08:45am

My former colleague Ryan Naraine over at ZDNet wrote a blog last week about Microsoft's Anti-Cross Site Scripting Library v3.1, an open source Web Protection Library consisting of a set of .NET assemblies designed to help developers protect web sites from cross-site scripting attacks.

The RTM version of the Anti-Cross Site Scripting Library v3.1 was released last year under the Open Source Microsoft Public License, and contains a number of new features.

In its overview of the Anti-Cross Site Scripting Library V3.1, Microsoft says it is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique - sometimes referred to as the principle of inclusions - to provide protection against XSS attacks.

"This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.

"New features in this version of the Microsoft Anti-Cross Site Scripting Library include an expanded white list that supports more languages, performance improvements, performance data sheets (in the online help), support for Shift_JIS encoding for mobile browsers, a sample application, a Security Runtime Engine (SRE) HTTP module, and HTML Sanitization methods to strip dangerous HTML scripts," it says.

The binary can be downloaded here, and more information can be found on the project's CodePlex site.