AntiXSS 庫目前處於版本 4.2.1,下載地址:http://www.microsoft.com/download/en/details.aspx?id=28589。它經歷了一次非常棒的重新編寫過程,並且就安全性而言,它提供了比 ASP.NET 附帶的編碼器更好的 HTML 編碼器。 並不是說 Server.HtmlEncode 有什么問題,只是它側重於兼容性而不是安全性。 AntiXSS 使用不同的方法進行編碼。 有關詳細信息,請訪問 msdn.microsoft.com/security/aa973814。Jon Galloway 在 http://weblogs.asp.net/jgalloway/archive/2011/04/28/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net.aspx 中發布了有關此內容的精彩文章。
This release addresses a vulnerability in the HTML Sanitizer, MS12-007 http://technet.microsoft.com/en-us/security/bulletin/ms12-007 and adds full support for .NET 4.0 as well as restoring support for .NET 2.0.
The sanitizer has been changed to remove all CSS it encounters, this new behaviour means that if you were keeping CSS formatting from HTML that is no longer going to be the case.
In addition to the change necessary to correct the vulnerability there are a few new features;
- Minimum Requirements.
You can now, once again, use the encoder libraries with .NET 2.0. The installer will create directories for each framework version supported, .NET 2.0, .NET 3.5 and .NET 4.0 which contain an optimized version of the encoders for that platform.
- Invalid Unicode no longer throws an exception.
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.
- UrlPathEncode added.
The encoding library now has UrlPathEncode which will encode a string for use as the path part of a URL.
- .NET 4.0 encoder support.
There’s finally an official way to swap AntiXSS into the framework. If you are using .NET 4.0 ensure you are using the .NET 4.0 version of the encoding library and then edit your web.config and add the encoderType attribute to the httpRuntime element; i.e.
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>