Microsoft's Open Source Anti-Cross Site Scripting Library
by Peter Galli on June 11, 2010 08:45am
My former colleague Ryan Naraine over at ZDNet wrote a blog last week about Microsoft's Anti-Cross Site Scripting Library v3.1, an open source Web Protection Library consisting of a set of .NET assemblies designed to help developers protect web sites from cross-site scripting attacks.
The RTM version of the Anti-Cross Site Scripting Library v3.1 was released last year under the Open Source Microsoft Public License, and contains a number of new features.
In its overview of the Anti-Cross Site Scripting Library V3.1, Microsoft says it is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique - sometimes referred to as the principle of inclusions - to provide protection against XSS attacks.
"This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.
"New features in this version of the Microsoft Anti-Cross Site Scripting Library include an expanded white list that supports more languages, performance improvements, performance data sheets (in the online help), support for Shift_JIS encoding for mobile browsers, a sample application, a Security Runtime Engine (SRE) HTTP module, and HTML Sanitization methods to strip dangerous HTML scripts," it says.