What is the benefit to make encoderType to AntiXssEncoder in a MVC application?

Question

In the What’s New page of .Net 4.5, it said that you may set encoderType to use the AntiXssEncoder type. http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382

<httpRuntime ...
    encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

But what is the benefit to modify the default encoderType ?

Thanks.

Answer 1

AntiXssEncoder uses a whitelist approach to identify malicious inputs [Inputs that result in Cross Site Scripting (XSS)].

The default encoder in ASP.Net uses a blacklist approach.

Both do output encoding on the data. From a security standpoint a whitelist based approach should always be preferred over blacklist approach for identifying malice.

Excerpt from http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net

1. AntiXSS is inherently more secure due to using a whitelist approach. Many security audits and certifications will require you to use a whitelist XSS encoder because a blacklist is always potentially vulnerable to unknown attacks.
2. Newer browsers have better XSS filtering built in, but there are vulnerabilities in older browser (e.g. UTF-7 charset switch) which wouldn't be detected picked up by the ASP.NET default encoder.

Answer 2

It's setting full control over input values. When string has some malicious codes antixss library drops it to protect.

http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx/