Differences Between AntiXss.HtmlEncode and HttpUtility.HtmlEncode Methods

Syed Aslam Basha here. I am a tester on the Information Security Tools team and responsible for testing Microsoft Anti-XSS V3.0.

The difference lies in implementation and performance you could get.

The following are the differences between Microsoft.Security.Application.AntiXss.HtmlEncode and System.Web.HttpUtility.HtmlEncode methods:

  1. Anti-XSS uses the white-listing technique, sometimes referred to as the principle of inclusions, to provide protection against Cross-Site Scripting (XSS) attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). System.Web.HttpUtility.HtmlEncode and other encoding methods in that namespace use principle of exclusions and encode only certain characters designated as potentially dangerous such as <, >, & and ' characters.
  2. The Anti-XSS Library's list of white (or safe) characters support more than a dozen languages (Greek and Coptic,Cyrillic,Cyrillic Supplement, Armenian, Hebrew, Arabic, Syriac, Arabic Supplement, Thaana, NKo and more)
  3. Anti-XSS library has been designed specially to mitigate XSS attacks whereas HttpUtility encoding methods are created to ensure that ASP.NET output does not break HTML.
  4. Performance - the average delta between AntiXss.HtmlEncode() and HttpUtility.HtmlEncode() is +0.1 milliseconds per transaction.
  5. Anti-XSS Version 3.0 provides a test harness which allows developers to run both XSS validation and performance tests.