Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Aug 20, 2012 07:11 AM by Sage Gu - MSFT
Aug 13, 2012 01:27 PM|LINK
I downloaded Ver. 4.2 of the library and added it to a project. It results in some strange behavior when I add a link control that points to an outside site. For instance, the link that is rendered by this control:
<asp:HyperLink ID="OutsideLink" runat="server"
Target="_blank">Link to external site</asp:HyperLink>
becomes: http://www.THIS-SITE.com/http%3a//www.outside.com/ and I get the "A potentially dangerous Request.Path
value ... " error.
If I remove the encoder type from web.config, i.e. comment out the following:
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>
then the control renders the link properly as http://www.outside.com/
I'm posting this for comment only. Resolution is to revert to using HttpUtility.HtmlEncode and wait for ASP.NET 4.5
Aug 20, 2012 07:11 AM|LINK
I'm glad to hear that you got the resolution.
Based on my knowledge, .NET Framework 4.0 has encoded apostrophes in HTMLEncode, and AntiXSS does not. That's because strictly speaking it's not necessary for HTML strings, only for attribute strings.