AntiXssLibrary

**Frinavale** · Oct 23 '08, 03:07 PM

Originally posted by KUTTAN

I find AntiXssLibraryV 1.5Installer
from
go.microsoft.co m/fwlink/?LinkId=122628

it seems to be good

1)But can any one show me a case where Server.HtmlEnco de fail ?
2)why decode functions are not provided in this library?
3)How can I decode if the data is once encoded using AntiXss

Microsoft.Secur ity.Application .AntiXss.

The Server.HtmlEnco de uses a "Black List" of known "dangerous" characters (such as angled brackets (<) and double quotes...etc... etc.) which it encodes by converting these characters into it's ASCII value.

The AntiXss Library uses a "White List" approach instead. Now it lists what is not dangerous (letters, numbers ...etc etc). It encodes anything that is not on the list by converting it into it's ASCII value.

The Server.HtmlEnco de would fail if the attacker used any symbols that were not on the black list of known dangerous characters.

You would have learned this already if you had read the documentation that comes with the Anti Cross Site Scripting Library.

I do not know why Microsoft didn't expose a Decode method...it is simply not exposed.

Why would you want to decode the input anyways?

-Frinny

**KUTTAN** · Oct 24 '08, 05:28 AM

Originally posted by Frinavale

Why would you want to decode the input anyways?

Because I usually encode all inputs before i store them indatabse
and decode/do not decode them depending up on the type of the controll to show he data
If it is a label i will not decode, if it is a TextBox I will decode before I show

AntiXssLibrary

AntiXssLibrary

Comment

Comment