Any good security encoding libraries for .NET out there?

Question

Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc).

What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot potential vulnurabilities? - Or are regular expressions my best bet? :)

Thanks a lot

Answer 1

Take a look at the AntiXSS library.

Answer 2

OWASP Antisamy and OWASP ESAPI.

Of these, I would vote for ESAPI, since I've used the Java version of ESAPI to prevent XSS attacks. Keep in mind that plain HTML encoding of data will not prevent XSS. The context of the data is important as well - you will have to escape JavaScript if you are dynamically generating it and injecting it into the response at the server.

Answer 3

The Server in ASP.NET Page instances (accessible via Page i.e. this) offers a HtmlEncode() method that should suffice to prevent XSS attacks.

By default, without explicitly allowing it in either web.config or via a page directive, ASP.NET will reject any suspicious input with an error page.

Answer 4

You got 3 nice choices for Cross-site Scripting protection:

I would try in this order.

• Microsoft Anti Cross-site Scripting Library
• OWASP Reform
• OWASP ESAPI

Answer 5

Recently I've been looking at ESAPI.NET and the project seems incomplete and perhaps inactive -- especially compared to the java package.

Anti-XSS only covers a subset of ESAPI's scope and, indeed, ESAPI.NET uses AntiXSS (though not the latest) for encoding.

Any comments testifying to ESAPI.NET's usefulness would be helpful.