18

In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382).

The latest version of AntiXssLibrary is 4.2.1.

I'm quite confused what type I should use for encoding output HTML in my new project: built in System.Web.Security.AntiXss.AntiXssEncoder or Microsoft.Security.Application.AntiXssEncoder from AntiXssLibrary. Could anyone tell me what type is preferred to use and why?

Ry-
  • 199,309
  • 51
  • 404
  • 420
Alexander Simonov
  • 1,502
  • 1
  • 9
  • 15

1 Answers1

22

The one in the System.Web.* namespace is a clone of the one in the Microsoft.Security.* namespace, but the System.Web one is slightly tweaked for better performance characteristics. We recommend the System.Web one going forward.

If you set the <httpRuntime encoderType> setting as described at http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382, then you can just use the built-in encoding routines like HttpUtility.HtmlEncode, and the implementation will be provided by the Anti-XSS libraries.

Levi
  • 32,325
  • 3
  • 84
  • 87
  • Thanks. Does it mean that I should always use this System.Web class regardless of new versions of the `AntiXSS library`? – Alexander Simonov Aug 13 '13 at 03:58
  • @AlexanderSimonov there is no real difference between the two. They're both updated together. Use whichever one is more convenient. The System.Web one is serviceable (since it's part of the .NET Framework), so we're pushing people toward it if they're able to use it. – Levi Aug 13 '13 at 20:05
  • @Levi, Who told you that System.Web is the one going forward? Thank you. – Frank Jul 05 '16 at 02:08
  • 1
    @Frank, I was speaking on behalf of the ASP.NET team when I made that statement. – Levi Jul 06 '16 at 19:01
  • 5
    That link is dead now – Liam Aug 04 '16 at 09:02
  • 2
    Updated link on preventing cross-site scripting: https://docs.asp.net/en/latest/security/cross-site-scripting.html – SteveFerg Aug 25 '16 at 20:12
  • 1
    The System.Web.* version doesn't seem to include the Ldap related methods, whereas the Microsoft.Security.* version does. – Jimmy Oct 19 '17 at 19:14