问题
How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files.
Which one provides more security against XSS? Is it advicable to use the intrinsic support provided by ASP.net?
回答1:
There are several differences. First of all the Microsoft AntiXss library uses white list encoding, which means that all characters are encoded, except all characters that are known safe. The standard encoding mechanism of ASP.NET is black list. For HTML encoding for instance, it only encodes 4 characters: <, >, & and " (for instance, it doesn't encode the single quote). Look for instance at this SO answer what can go wrong with this.
Another difference is that basic ASP.NET encoding (using the HttpUtility) is only capable of encoding HTML en URLs. AntiXss also allows encoding HTML attributes and JavaScript text. There is no safe way of doing with in standard ASP.NET.
回答2:
One thing you might bear in mind is release cycles; the encoding built into HttpUtility can only be updated when a new version of ASP.NET is released. If someone comes up with an XSS attack that works against HttpUtility the day after it is released, your application is vulnerable until a new version of ASP.NET is released. AntiXSS has a (much) faster release cycle, which means as new attacks appear the team can react to them faster and release an updated AntiXSS that will defend against them.
来源:https://stackoverflow.com/questions/3437819/anti-xss-support-in-asp-net-vs-antixss-lib