AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to …
This version includes
- An expanded white list that supports more languages
- Performance improvements
- Performance data sheets (in the online help)
- Support for Shift_JIS encoding for mobile browsers
- A sample application
- Security Runtime Engine (SRE) HTTP module
The source on codeplex doesn’t indicate if it’s matching the binary download right now, so it may be a little out of whack.
What’s perhaps more interesting is the next steps, the Web Protection Library. This extends the SRE (Security Runtime Engine) to protect against more than XSS, looking at file canonicalization, SQL injection, LDAP and XPath encoding, Click Jack header enforcement, SSL enforcement etc. I’ve already asked for extensibility to write your own modules :)