Microsoft AntiXSS - Is there a need to Decode?

c# asp.net html-encode antixsslibrary
GilliVilla picture GilliVilla · Sep 23, 2010 · Viewed 7.1k times · Source

The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided?

For example

Before applying AntiXSS:

lblName.Text = "ABC" + "<script> alert('Inject'); </script";

After applying AntiXSS:

lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script");

So, after applying the encoding, the HTML tags show up in my Label control.

Is this the desired outcome?

Answer

Brody picture Brody · Jan 22, 2015

You can use the HttpUtility.HtmlDecode method to decode AntiXss encoded text (or any encoded text). No explicit AntiXss decode is required.

Related questions

Fortify and AntiXSS

My company requires our ASP.NET code to pass a Fortify 360 scan before releasing the code. We use AntiXSS everywhere to sanitize HTML output. We also validate input. Unfortunately, they recently changed the "template" Fortify was using and now it's …

Read More
ASP.NET automatically converts & to &amp;

Minor issue, but it's driving me nuts nonetheless. I'm building a url for a <script> tag include to be rendered on an ASP.NET page, something like this: <script src='<%= string.Format("http://example.com/…

Read More
How to get the URL of the current page in C#

Can anyone help out me in getting the URL of the current working page of ASP.NET in C#?

Read More