Cross site scripting can be a tough vulnerability to eliminate, but it doesn’t necessarily have to be. If you’re working on an ASP.NET project, the Microsoft Anti-XSS library is easy to use and freely available. Like a lot of developers, I’ve rolled my own anti-XSS by escaping specific characters, but it’s usually clunky and let’s face it. There are still bound to be vulnerabilities. The MS library can be used to encode HTML, HTML attributes, JavaScript, VBScript, as well as encode for XML and XML attributes.
Always encode data from untrusted inputs. Just a few examples include:
- Databases
- Form fields
- Session variables
- Query string
- Cookies
Using the library is very simple. Just add a reference to the dll to your project, and you’re ready to go. Here’s a quick and dirty code example encoding a value from the query string:
string Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
A good rule to live by is “When in doubt. Encode it.” Just don’t encode it twice. 
You can download the library from Microsoft here.
Leave a Reply