In celebration of the bright shining thing in the Seattle sky (I haven’t seen it in a while, I’m scary) I’ve pushed new source for the AntiXSS encoding libraries to codeplex, including specific support for swapping out the default encoders in .NET 4.0.

As this is only a beta there are no binaries, you will need to grab the source yourself and compile. Replacing the default encoders in .NET 4.0 will require you to use the DLL from the Net4 project and to make a web.config change to the httpRuntime node as follows

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/> 

The runtime encoder feature should work with both WebForms and MVC (either the webforms or Razor view engines).

Nothing else has changed, please feel free to log any weird encoding bugs you see on codeplex, especially if you swap out the default controller - this may cause hiccups with 3rd party controls which make assumptions about encoding.

Technorati Tags: