With .net 4 there’s a new <%: %> script enclosure that’s like <%= %> but does an html encode. People are encouraging the use of this new syntax.
My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?
A Microsoft security person once told me to never just use HTML Encode as it doesn’t protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it’s going to protect my app from XSS like people are saying?
HttpUtility.HtmlEncodeuses a black list (principle of exclusions) approach to encoding, which potentially leaves the door ajar for newly discover exploits in the future. The Anti-XSS library (now known as the Web Protection Library and includes code to mitigate SQL injection too) uses a whitelist approach (principle of inclusions) which closes the door a little further and should provide better security.<%: ... %>is just a shortcut for<%= Server.HtmlEncode(string) %>and therefore provides the security of the encoder used in your application.You can use any encoder you like with the new
<%: ... %>syntax and Phil Haack has a great post on hooking up the Anti-Xss library as the default encoder. Bear in mind that currently Anti-XSS library 3.1 requires medium trust to run – this is being addressed for a future release.