In ASP.NET 4.5 there is a new namespace System.Web.Security.AntiXss
which includes encoding routines from version 4.0 of the AntiXssLibrary (http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382).
The latest version of AntiXssLibrary is 4.2.1.
I'm quite confused what type I should use for encoding output HTML in my new project: built in System.Web.Security.AntiXss.AntiXssEncoder
or Microsoft.Security.Application.AntiXssEncoder
from AntiXssLibrary. Could anyone tell me what type is preferred to use and why?
The one in the System.Web.* namespace is a clone of the one in the Microsoft.Security.* namespace, but the System.Web one is slightly tweaked for better performance characteristics. We recommend the System.Web one going forward.
If you set the <httpRuntime encoderType>
setting as described at http://www.asp.net/aspnet/overview/aspnet-45/whats-new#_Toc318097382, then you can just use the built-in encoding routines like HttpUtility.HtmlEncode, and the implementation will be provided by the Anti-XSS libraries.