What’s the difference between IOSEC and the Microsoft Anti-Cross Site Scripting Library?

  • Article

Some users who have been using IOSEC, our internal library for defending against cross-site scripting (XSS) attacks, may be wondering what’s the difference between that library and the Microsoft Anti-Cross Site Scripting Library V1.0 at https://www.microsoft.com/downloads/details.aspx?FamilyID=9A2B9C92-7AD9-496C-9A89-AF08DE2E5982&displaylang=en.  

The IOSEC library currently implements encoding protection against XSS attacks conducted through vectors such as HTML, URLs, JavaScript, HtmlAttributes and Visual Basic Script. The Anti-Cross Site Scripting Library currently provides protection for a subset of those vectors. Here’s the break down:

 

XSS Attack Vector

IOSEC

Anti-Cross Site Scripting Library

Html

X

X

URL

X

X

Html Attribute

X

 

JavaScript

X

 

Visual Basic Script

X

 

 

In the 1.0 release of the Anti-Cross Site Scripting Library, only the code to do html and url encoding was provided. In the coming weeks we’ll be porting the full capabilities of IOSEC, some safe .NET controls to use in web applications plus some feedback from the community to the Anti-Cross Site Scripting Library V1.5. Check back soon for that release! 

 

Thanks,

 

Kevin Lam

Senior Security Technologist

Application Consulting & Engineering (ACE) Team

Comments

  • Anonymous
    March 19, 2006
    Hi, I'm found this almost by accident.  Do you have more information on exactly what this does?  I'm an XSS researcher and would like any information you could provide.  My email address is on my site.
  • Anonymous
    March 19, 2006
    Recently, Microsoft released the latest update to Anti-Cross Site Scripting tool which is part of a bigger...
  • Anonymous
    April 14, 2006
    Hello!

    I have downloaded Microsoft Anti-Cross Site Scripting Library V1.0, and have a question.

    As I could understand from the documentation, you suggest to use these functions instead of System.Web.HttpUtility methods.
    But I just cannot imagine an attack that shall be prevented by using Anti-XSS library and shall not be prevented by using System.Web.HttpUtility methods!
    Can you give an example? Why not using standard methods?
  • Anonymous
    May 16, 2006
    Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • Anonymous
    May 17, 2006
    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • Anonymous
    May 24, 2006
    [ASP.NET]Microsoft の XSS 対策用 .NET ライブラリ第一弾 (Microsoft Anti-Cross Site Scripting Library V1.0)
  • Anonymous
    June 28, 2006
    The comment has been removed
  • Anonymous
    December 09, 2007
    The comment has been removed