Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.
The WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.
It essentially provides a list of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript.
- White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.
- Secure Globalization: The web is a global market place, and cross-site scripting is a global issue. An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
- Security Runtime Engine: The Security Runtime Engine (SRE) provides a wrapper around your existing web sites, ensuring that common attack vectors to not make it to your application. Protection is provided as standard forCross Site ScriptingSQL Injection.
Documentation and download instructions can be found at the open-source Codeplex site.