For as long as it has been available, I have recommended the Microsoft Anti-Cross Site Scripting Library for internet development because it is a valuable tool to assist developers mitigate one class of common security threats. As important as this tool is, I was always a bit disappointed that it only went part way in handling the wide variety of threats our applications are exposed to. As a result, I was excited to learn that the next version of the Anti-XSS Library will be completely revamped and renamed. The new name is the Web Protection Library (WPL). Besides being easier say, the library will maintain mitigation for Cross Site Scripting and add protection for the following type of attacks:
- SQL Injection
- Cross-Site Request Forgery (CSRF)
- Setting Enforcement like SSL & HTTP_ONLY cookies
- Security Runtime Engine for SQL Injection & XSS
- Among others
The library, which was announced here, is currently in a state of CTP and Microsoft does not advise its use in production. But to my mind you have one of three choices: (1) Don’t mitigate for web application threats, (2) write your own library and risk making as many (or more) implementation errors as the MS Security Tools team or (3) take their work in progress with a reasonable expectation of features and performance but getting a lot from your investment.
If you are doing web development, please look at the WPL now.