1

As far as i know asp.net mvc3 is quite secure but is there any places I can use Microsoft AntiXSS library there to get more security? http://wpl.codeplex.com/

How can I found any places inside my application where i may use this? May be some one may find anything where this library cold be used inside asp.net mvc3 ?

jason
  • 13
  • 5

2 Answers2

2

Well, as the owner of AntiXSS I'd obviously say yes. However I'm biased :)

AntiXSS gives you

  • More encoding options - including encoding for CSS, JavaScript and LDAP (should you be querying AD from your code)
  • A safe list, rather than an unsafe list. This is inherently more secure, but is slower. Whilst the default .NET blacklist is good enough, it does depend on how your systems handle input too.

Now, with AntiXSS 4.1 you can easily get AntiXSS to plug into MVC and be used as the default encoder. That's a beta right now, the code is available for download along with limited instructions on how to swap out the encoder. You should see release within before November.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • interesting, could you give a bit more details about this AntiXSS controller, any samples i can look at? – jason Sep 02 '11 at 16:31
  • Oops, my bad, encoder not controller. Editing now. http://idunno.org/archive/2011/04/23/antixss-4-1-beta-1.aspx has the supported swap out details. – blowdart Sep 02 '11 at 16:53
0

It depends on how the user entered data you are trying to collect is used and if you've told the application to allow HTML.

Personally, I'd use the AntiXss Library where ever the input allows HTML to be entered and later redisplayed on the site, but otherwise, MVC3 will block HTML fairly well if you've not told it to allow HTML to be entered.

Stephen
  • 1,737
  • 2
  • 26
  • 37