Cross-site scripting (XSS) is a common security vulnerability found in web applications. An application is vulnerable to XSS attacks whenever it creates a dynamic web page that displays user-controlled data. In an attack that exploits this vulnerability, the attacker provides a malicious script instead of valid input. That malicious input is embedded in the HTML document created by the application and ends up running in the victim’s browser as legitimate code from the application. This may allow an attacker to gain unauthorized access to the application and sensitive data, or, at the very least, allow the attacker to deface the web site.

Microsoft’s Anti-Cross Site Scripting Library can help mitigate this threat by encoding user input before embedding it in the dynamic web page. This encoding changes the input such that it can never be executed, regardless of whether or not it contains malicious code.