In the What’s New page of .Net 4.5, it said that you may set encoderType to use the AntiXssEncoder type. http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382
<httpRuntime ...
encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
But what is the benefit to modify the default encoderType ?
Thanks.
AntiXssEncoder uses a whitelist approach to identify malicious inputs [Inputs that result in Cross Site Scripting (XSS)].
The default encoder in ASP.Net uses a blacklist approach.
Both do output encoding on the data. From a security standpoint a whitelist based approach should always be preferred over blacklist approach for identifying malice.
Excerpt from http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net
- AntiXSS is inherently more secure due to using a whitelist approach. Many security audits and certifications will require you to use a whitelist XSS encoder because a blacklist is always potentially vulnerable to unknown attacks.
- Newer browsers have better XSS filtering built in, but there are vulnerabilities in older browser (e.g. UTF-7 charset switch) which wouldn't be detected picked up by the ASP.NET default encoder.
It's setting full control over input values. When string has some malicious codes antixss library drops it to protect.
http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/
