antixsslibrary

In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I covered? Do I need to do anything when the HTML is outputted on a web page? Also, it appears that the white list is kind of a black box. Is there a way to update this based on our requirements? You should be set. Though obviously this won't protect you from

I can't include Microsoft.Security.Application using Microsoft.Security.Application; Gives this error: The type or namespace name 'Security' does not exist in the namespace 'Microsoft' (are you missing an assembly reference?) And yes, I clicked on Bin -> Add Reference... -> AntiXSSLibrary.dll and it added it to the Bin Folder including the AntiXSSLibray.xml. I rebuilt the whole website, and still nothing. I'm using ASP .NET 3.5 C# - AntiXSSLibrary 4.0 Stable Polity Right mouse on your website -> Convert to webapplication. See: How To Convert ASP.NET Website to ASP.NET Web Application If you

Microsoft's AntiXSS library has been broken for 6 months and it looks abandoned (that may or may not officially be the case). Due to a security issue with previous versions, it is not safe to rollback to an earlier release. Are there any good actively developed alternatives for AntiXSS and web security in general when working with the Microsoft (specifically MVC) stack? There's a new xss sanitizer shipping with the June 2012 release of the ajax control toolkit. The toolkit was originally using the microsoft anti xss library as well, so they experienced the same problems. The new sanitizer is

I'm looking at using WMD in my project instead of my existing RadEditor. I have been reading a few posts on how to store and retrieve the data, and I want to make sure I have the concept correct before proceeding. If my research is correct, here is what I should be doing. I should store the editor data twice (Once as HTML and once as Markdown) I should run the HTML through a Whitelist before storing it. I should run the HTML through AntiXSS on the way out (before displaying) I should use the Markdown data ONLY to repopulate Markdown for editing. Can anyone confirm or deny if this is correct,

When you can simply encode the data using HttpUtility.HtmlEncode , why should we use AntiXss.HtmlEncode ? Why is white list approach better than black listing? Also, in the Anti XSS library, where do I specify the whitelist? White lists are always more secure that blacklist - just think which will be more secure, having a list of all of the people who are not allowed to your party or only allowing in those who are. (Basically blacklists can only handle attacks which are obvious or have been used before). You can't specify or alter the white list with the AntiXSS library, which is not strange

I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog , it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode? Indeed, I am not the first to ask this question. And, indeed, Google turns up some answers , mainly A white-list instead of black-list approach A 0.1ms performance improvement Well, that's nice, but what does it mean for me? I don't care so much about the performance of 0.1ms and I