What is the advantage of making encoderType for AntiXssEncoder in MVC application?
Whats New.Net 4.5 page says you can set encoderType to use AntiXssEncoder type. http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382
<httpRuntime ...
encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
But what is the use of changing the default encoderType?
Thank.
source to share
AntiXssEncoder uses a whitelist to identify malicious entries [Inputs that lead to Cross Site Scripting (XSS)].
The default encoder in ASP.Net uses a blacklist.
Both have output data encoding. From a security standpoint, a whitelist approach should always be preferred over a blacklist approach for detecting malice.
Excerpt from http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net
- AntiXSS is inherently more secure due to the use of whitelisting. Many security checks and certifications will require you to use a whitelisted XSS encoder because a blacklist is always potentially vulnerable to unknown attacks.
- Newer browsers have better built-in XSS filtering, but there are vulnerabilities in an earlier browser (such as the UTF-7 charset switch) that won't be detected as set by the ASP.NET default encoder.
source to share
It takes full control over the input values. When a string contains some malicious code, the antixss library discards it for protection.
http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/
source to share