none
Latest and Greatest AntiXssLibary RRS feed

  • Question

  • I am seeing multiple versions of AntiXssLibary on MSDN website.

    Microsoft Anti-Cross Site Scripting Library V4.2 for download.
    https://www.microsoft.com/en-us/download/details.aspx?id=28589
    1. Now I see two.
    And one AntiXssEncoder library available with in System.Web.Security.Antixss.
    And other is with Microsoft.Security.Application.
    I am confused, which is the latest and greatest with best performance and handling? And why?

    If both can be used on what specific scenarios?

    2. How to use Html Sanitization from new AntiXss library if System.Web.Security.AntiXss is the one I have to use.

    Thanks,
    Kompella

    • Edited by Sky lab Wednesday, January 22, 2014 8:37 PM
    Wednesday, January 22, 2014 6:16 PM

Answers

  • Hi Kompella,

    >setting requestValidationMode=4.5 will not allow all the HTML tag inputs per page and also enables lazy validation.

    I agree with you except the below. The document says that RequestValidationMode property guarantees that the request validation is triggered before data are accessed during the request. You can see it in the Remarks tip on the following link.

    http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx.

    Please note that anything requestValidationMode specified as 4.0 or above will use the 4.0 way.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Sky lab Tuesday, January 28, 2014 4:25 PM
    Friday, January 24, 2014 3:26 AM
    Moderator

All replies

  • Hi Kompella,

    The one in the System.Web namespace is a clone of the one in the Microsoft.Security namespace, so there is no real difference between the two. But the System.Web one is slightly tweaked for better performance characteristics. We recommend you use the System.Web one going forward.

    Here is some code sample, please refer to the following link. http://weblog.west-wind.com/posts/2012/Jul/19/NET-HTML-Sanitation-for-rich-HTML-Input.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, January 23, 2014 6:12 AM
    Moderator
  • The example you forwarded is good for blacklisting the HTML tags. And I went through some of the articles online and understanding that setting requestValidationMode=4.5 will not allow all the HTML tag inputs per page and also enables lazy validation. And we can white list specific areas where we want to allow these html tags. Please share more information on this.

    Correct me in case my understanding is wrong.

    Regards,

    Kompella


    • Edited by Sky lab Thursday, January 23, 2014 3:08 PM
    Thursday, January 23, 2014 3:03 PM
  • Hi Kompella,

    >setting requestValidationMode=4.5 will not allow all the HTML tag inputs per page and also enables lazy validation.

    I agree with you except the below. The document says that RequestValidationMode property guarantees that the request validation is triggered before data are accessed during the request. You can see it in the Remarks tip on the following link.

    http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode.aspx.

    Please note that anything requestValidationMode specified as 4.0 or above will use the 4.0 way.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Sky lab Tuesday, January 28, 2014 4:25 PM
    Friday, January 24, 2014 3:26 AM
    Moderator