System.Web.Security.AntiXss.AntiXssEncoder vs Microsoft.Security.Application.AntiXssEncoder

Question

In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382).

The latest version of AntiXssLibrary is 4.2.1.

I'm quite confused what type I should use for encoding output HTML in my new project: built in System.Web.Security.AntiXss.AntiXssEncoder or Microsoft.Security.Application.AntiXssEncoder from AntiXssLibrary. Could anyone tell me what type is preferred to use and why?

Answer 1

The one in the System.Web.* namespace is a clone of the one in the Microsoft.Security.* namespace, but the System.Web one is slightly tweaked for better performance characteristics. We recommend the System.Web one going forward.

If you set the <httpRuntime encoderType> setting as described at http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382, then you can just use the built-in encoding routines like HttpUtility.HtmlEncode, and the implementation will be provided by the Anti-XSS libraries.