Confirm that antixss is actually being used when set as the default encoder in asp.net

Question

We want to encode data sent to browsers to help prevent XSS in an asp.Net 4 application. Microsoft's AntiXSS software is attractive as it uses a white-list as opposed to a black list approach. Unfortunately, the API's are different between the version for .net Framework 4 and the one included in .net Framework 4.5+. AntiXSS can be set as the default encoder for an asp.net website.

Would anyone have an example XSS where httpUtility (or the default encoder) encode output differently than AntiXSS?

I've looked at a number of XSS examples and so far Antixss has produced the same output that httpUtility provides. This happens for the example situations I found with Google. For instance, there are a number of reports that httpUtility doesn't handle single quotes but the examples I fed into httpUtility did encode single quotes (appostrophes). This would also be a situation where AntiXSS catches problems that httpUtility (or the default encoder) doesn't.

Thanks

Mike

Answer 1

The way I confirmed that the AntiXSS encoders were used was to use the MarkAsSafe routine to mark Greek characters as safe:

    System.Web.Security.AntiXss.AntiXssEncoder.MarkAsSafe(
        System.Web.Security.AntiXss.LowerCodeCharts.GreekAndCoptic |
        System.Web.Security.AntiXss.LowerCodeCharts.BasicLatin,
        System.Web.Security.AntiXss.LowerMidCodeCharts.None,
        System.Web.Security.AntiXss.MidCodeCharts.None,
        System.Web.Security.AntiXss.UpperMidCodeCharts.None,
        System.Web.Security.AntiXss.UpperCodeCharts.None);

I then entered Unicode characters into a TextBox with some in the character set marked as safe and some that were not: Π Π ฿

I observed that when I used HttpUtility.HtmlEncode(inputText.Text) I saw "Π Π ฿" displayed. When I set the default encoder to System.Web.Security.AntiXss.AntiXssEncoder, I now saw Π Π ฿.

This shows that the antiXss encoder was active.