Geek Answers Handbook

Microsoft AntiXSS - is there a need for decoding?

The HttpUtility class provides both encoding and decoding. But, when I use the MS AntiXSS 3.1 library, I have a set of encoding-only methods, can this be avoided so that it can be decoded?

for example

Before using AntiXSS:

 lblName.Text = "ABC" + "<script> alert('Inject'); </script";

After applying AntiXSS:

 lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script");

So, after applying the encoding, the HTML tags are displayed in my Label control.

Is this the desired result?

+3
c # html-encode antixsslibrary
source share
3 answers

It depends on where your entry comes from and what you want to do with it. There is a lot of time when the infrastructure decodes you before you see something: Request.Form, Request.QueryString, etc.

If you read a coded string from another place, for example, a database, then you can decode it, otherwise you will see a double encoding, for example:

 I 3> AntiXSS encoded once becomes I 3&gt; AntiXSS which then becomes after double encoding I 3&amp;gt; AntiXSS

which may have unintended side effects depending on what the outlet consumes. An example of canonization is the act of decoding until the string is longer.

+3
source share

Yes, I think this is the desired result. This is because the script is not running. If the script had been executed, a warning would be displayed instead of script tags. So this is safe code.

+3
source share

You can use the HttpUtility.Decode method to decode the encoded text of AntiXss (or any encoded text actually), therefore, you do not need to explicitly decode AntiXss

+1
source share

More articles:


All Articles