I downloaded Ver. 4.2 of the library and added it to a project. It results in some strange behavior when I add a link control that points to an outside site. For instance, the link that is rendered by this control:
<asp:HyperLink ID="OutsideLink" runat="server"
NavigateUrl="http://www.outside.com/"
Target="_blank">Link to external site</asp:HyperLink>
Based on my knowledge, .NET Framework 4.0 has encoded apostrophes in HTMLEncode, and AntiXSS does not. That's because strictly speaking it's not necessary for HTML strings, only for attribute strings.
GDB
Member
142 Points
322 Posts
AntiXssLibrary breaks external links
Aug 13, 2012 01:27 PM|LINK
I downloaded Ver. 4.2 of the library and added it to a project. It results in some strange behavior when I add a link control that points to an outside site. For instance, the link that is rendered by this control:
<asp:HyperLink ID="OutsideLink" runat="server" NavigateUrl="http://www.outside.com/" Target="_blank">Link to external site</asp:HyperLink>becomes: http://www.THIS-SITE.com/http%3a//www.outside.com/ and I get the "A potentially dangerous Request.Path value ... " error.
If I remove the encoder type from web.config, i.e. comment out the following:
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>
then the control renders the link properly as http://www.outside.com/
I'm posting this for comment only. Resolution is to revert to using HttpUtility.HtmlEncode and wait for ASP.NET 4.5
Sage Gu - MS...
Contributor
6693 Points
578 Posts
Microsoft
Re: AntiXssLibrary breaks external links
Aug 20, 2012 07:11 AM|LINK
Hi GDB,
I'm glad to hear that you got the resolution.
Based on my knowledge, .NET Framework 4.0 has encoded apostrophes in HTMLEncode, and AntiXSS does not. That's because strictly speaking it's not necessary for HTML strings, only for attribute strings.
Regards,
Sage
If you have any feedback about my replies, please contact msdnmg@microsoft.com
Microsoft One Code Framework