AntiXssEncoder.HtmlEncode have support only for .Net framework. Can I use WebUtility.HtmlEncode for Antixss as we have our application in .net core 2.1?
What is difference between WebUtility.HtmlEncode and AntiXssEncoder.HtmlEncode?
2.9k Views Asked by Agrawal Shraddha At
1
There are 1 best solutions below
Related Questions in C#
- How to call a C language function from x86 assembly code?
- What does: "char *argv[]" mean?
- User input sanitization program, which takes a specific amount of arguments and passes the execution to a bash script
- How to crop a BMP image in half using C
- How can I get the difference in minutes between two dates and hours?
- Why will this code compile although it defines two variables with the same name?
- Compiling eBPF program in Docker fails due to missing '__u64' type
- Why can't I use the file pointer after the first read attempt fails?
- #include Header files in C with definition too
- OpenCV2 on CLion
- What is causing the store latency in this program?
- How to refer to the filepath of test data in test sourcecode?
- 9 Digit Addresses in Hexadecimal System in MacOS
- My server TCP doesn't receive messages from the client in C
- Printing the characters obtained from the array s using printf?
Related Questions in ASP.NET-CORE-2.1
- How to update ASP.NET Core 2.1 (running on .NET Framework) to newer builds?
- How to receive Json parameters from post request as JObject in ASP.NET Core 8.0 controller?
- API does not store keys from IdentityServer to validate tokens
- CreateNewOnMetadataUpdateAttribute does not exists in the namespace after Visual Studio update
- HTTP Error 500.32 - ANCM Failed to Load dll
- ILoggerFactory does not contain a definition for addconsole
- Set HttpClient Basic Auth Header per client on backchannel logout in IdentityServer4 2.5.4 (.Net Core 2.1)
- .NET Core 2.1 Authorization based on Active Directory
- Microsoft upgrade assistance tool : can I use this tool to upgrade ASP.NET Core 2.1 Web API to .NET 6?
- Js file throwing an error after .net framework upgraded to 6.0
- Register Generic Interface in Startup in ASP.NET Core 2.1
- IdentityServer 4, Backchannel-Logout, Reject Logout-Token, Bad Request
- .NET Core Razor pages change pages to anonymous
- How to add logging.AddEventSourceLogger() in F#
- The LINQ Expression 'DbSet<> Could not be translated method 'System.DateTime.ToString' failed, After Migrated from ASP.NET Core 2.1 to .NET6
Related Questions in ANTIXSSLIBRARY
- XSS Filter encoding and decoding
- EncoderType AntiXssEncoder is conflicting with DevExpress control
- XSS Vulnerability found in RowCommand function with e.CommandArgument
- How to mark ampersand and apostrophe safe in AntiXssEncoder?
- Data URI is double-encoded by AntiXssEncoder
- Xss prevention for php submit
- Veracode CWE 80 XSS issue with writing to HttpResponse object in c#
- What is difference between WebUtility.HtmlEncode and AntiXssEncoder.HtmlEncode?
- WebMethod in Asp.Net Prevent Script Injection
- Is the hyphen encoded in LDAP DNs?
- How to use AntiXss with a Web API
- Avoid XSS attacks on Angular JS
- string encoded with AntiXssEncoder does not return correct value for Contains " "
- Antixss for Kendo Grid
- XSS prevention using AntiXss NuGet
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
TL;DR:
Correct.
But I want to stress that there is no-such thing as an "anti-XSS HTML-encoder" because all correctly-implemented HTML-encoders will protect your website from XSS attacks when used correctly.
AntiXssEncoder, but given that at-the-time the mainHtmlEncodeimplentation was actually buggy and insecure probably might have something to do with it, but that's ancient-history now.)In .NET Core 2.1, you only need to use
System.Net.WebUtility.HtmlEncode.In other .NET releases (especially historical versions), things are complicated, read on if you dare...
Why
AntiXssEncoder(akaAntiXssandAntiXss.Encoder) exists - and why it's obsolete in 2021:The
AntiXssEncoderclass from theAntiXssNuGet package (akaMicrosoft.Security.Application.AntiXss) is obsolete (and has been since 2014) when it was moved toSystem.Web.Security.AntiXss.AntiXssEncoder,Encoder, andAntiXssare just alternative APIs for the same underlying implementation inEncoderbtw.The
AntiXssEncoderinSystem.Web.Security.AntiXssis not available in .NET Core 2.1. However this is not a significant problem:The original
Microsoft.Security.Application.AntiXsswas created becauseHttpUtility.HtmlEncodewas considered insecure because it did not encode single-apostrophe characters, so XSS attacks were possible against ASP.NET 1.x and ASP.NET 2.x WebForms (.aspx) pages that used single-apostrophes to delimit HTML attributes that contained user-specified values.For example:
...which will be rendered as:
However this issue was fixed in ASP.NET 4.0 when
HttpUtility.HtmlEncodewas corrected to also HTML-encode those apostrophes. So the exact same code above will now be rendered as below, which won't show analert():AntiXssEncoderalso supported specifying a list of excluded Unicode code-points orCharvalues, this was added becauseAntiXssEncoderdefaulted to hex-encoding allCharvalues (not code-points!) above 0xFFFF, which unfortunately meant that even completely safe text in Arabic, Hebrew, Kanji, etc would be escaped, making the raw HTML almost unreadable and ballooning the output HTML length.For example the (gibberish) string
"لك أن كلا"would be rendered as"لك أن كلا"- which isn't good.Fortunately
AntiXssEncoder.MarkAsSafecan be used to exclude character ranges at the programmer's discretion.By the time .NET Core 2.1 came out, the
System.Net.WebUtilityclass (not to be confused withSystem.Web.HttpUtility, of course) was improved so that it does not unnecessarily hex-encode highCharvalues and it does also HTML-encode apostrophes, hence whyAntiXssEncoderwas no-longer needed.In .NET Core 3.1 (and later, including .NET 5 and .NET 6) things improved further, but also got a bit confusing...
System.Text.Encodings.Web.HtmlEncoderwas added. This is a separate implementation (instead of simply wrappingWebUtility) which brings backAntiXssEncoder's ability to exclude ranges of characters from encoding just in case you need that functionality. But it's a bit of an edge-case, imo.HtmlEncoder.Create(TextEncoderSettings)with a configuredTextEncoderSettingsobject with the required char ranges excluded.In .NET Core 3.1, for the sake of back-compat, Microsoft brought back
System.Web.HttpUtility, however this is just another wrapper overWebUtility.HtmlEncode.HtmlAttributeEncode- which does not encode single-apostrophes. There is no good reason to use this method, imo. I'm surprised Microsoft hasn't annotated it with[Obsolete], actually.However, in .NET Core (and .NET 5 and later) there isn't any way to HTML encode text such that named entities are used instead of hex-encoded entities (other than
<,>land&).AntiXssEncoder.HtmlEncode(bothMicrosoft.SecurityandSystem.Web.Security) method had a theuseNamedEntitiesparameter which involved a large hard-coded table of known entity names, e.g.£becomes£instead of.&#nnnn;-syntax as means of encoding Unicode code-points specifically as opposed to a character-value in some other encoding scheme, whereas previously in HTML4 the spec refers to ISO 10646 (aka UCS) characters which is not Unicode as we know it today. (and I suspect that browsers may have tried to map characters based on the document's encoding/code-page if the page wasn't encoded using Unicode (like Shift-JIS), but I might be wrong).Finally, here's a table comparing the output from all of the different
HtmlEncodemethods found in .NET as of 2021:HtmlEncodemethods available in .NET Framework 4.8HtmlEncodemethods are excluded because they're just wrappers over other implementations:System.Web.HttpServerUtility(akaServer.HtmlEncode) just forwards toHttpUtility.HtmlEncode.System.Web.UI.HtmlTextWriter.WriteEncodedTextalso forwards toHttpUtility.HtmlEncode.System.Web.HttpUtility.HtmlEncode:HttpUtility.HtmlEncodemethod just forwards toSystem.Web.Util.HttpEncoder.Current.HtmlEncode(s)System.Web.Util.HttpEncoder.**Current**can be replaced at runtime, which is how an update to ASP.NET 4.x (I forget which) was able to make almost everyone use (the then far-better)AntiXssEncoderwithout people needing to change their existing application code. Neat.System.Web.Util.HttpEncoder.**Current**can point to any compatible implementation, whileSystem.Web.Util.HttpEncoder.**Default**`` is _always_ just a wrapper overWebUtility.HtmlEncode`.System.Web.Util.HttpEncoder.Default- as mentioned above, this is just anotherSystem.Net.WebUtilitywrapper.System.Net.WebUtility.HtmlEncodeSystem.Text.Encodings.Web.HtmlEncoderSystem.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(false)System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(true)0abcU+0061 U+0062 U+006361 62 6361 00 62 00 63 00abcabcabcabc1<U+003C3C3C 00<<<<2>U+003E3E3E 00>>>>3&U+00262626 00&&&&4"U+00222222 00""""5'U+00272727 00''''6ŸU+009FC2 9F9F 00ŸŸŸŸ7U+00A0C2 A0A0 00    8ÿU+00FFC3 BFFF 00ÿÿÿÿ9āU+0101C4 8101 01āāāā10~U+007E7E7E 00~~~~11| `U+007F` | `7F` | `7F 00` |12£U+00A3C2 A3A3 00££££13ÿU+00FFC3 BFFF 00ÿÿÿÿ14ḂU+1E02E1 B8 8202 1EḂḂḂḂ15U+1F4A9F0 9F 92 A93D D8 A9 DC💩💩💩💩16U+233B4F0 A3 8E B44C D8 B4 DF𣎴𣎴𣎴𣎴17U+233B4F0 A3 8E B44C D8 B4 DF𣎴𣎴𣎴𣎴18لك أن كلاU+0644 U+0643 U+0020 U+0623 U+0646 U+0020 U+0643 U+0644 U+0627D9 84 D9 83 20 D8 A3 D9 86 20 D9 83 D9 84 D8 A744 06 43 06 20 00 23 06 46 06 20 00 43 06 44 06 27 06لك أن كلالك أن كلالك أن كلالك أن كلاObsolete and historical
HtmlEncodemethods:This table is included only for computer-archeological reasons. **It does not apply to .NET Framework 4.8, nor any versions of ASP.NET Core and ASP.NET-for-.NET 5 or later.
System.Web.HttpUtility.HtmlEncode (ASP.NET 1.1 and 2.0)Microsoft.Security.Application.Encoder.HtmlEncode(false)Microsoft.Security.Application.Encoder.HtmlEncode(true)0abcU+0061 U+0062 U+006361 62 6361 00 62 00 63 00abcabcabc1<U+003C3C3C 00<<<2>U+003E3E3E 00>>>3&U+00262626 00&&&4"U+00222222 00"""5'U+00272727 00'''6ŸU+009FC2 9F9F 00ŸŸŸ7U+00A0C2 A0A0 00   8ÿU+00FFC3 BFFF 00ÿÿÿ9āU+0101C4 8101 01āāā10~U+007E7E7E 00~~~11| `U+007F` | `7F` | `7F 00` |12£U+00A3C2 A3A3 00£££13ÿU+00FFC3 BFFF 00ÿÿÿ14ḂU+1E02E1 B8 8202 1EḂḂḂ15U+1F4A9F0 9F 92 A93D D8 A9 DC💩💩16U+233B4F0 A3 8E B44C D8 B4 DF𣎴𣎴17U+233B4F0 A3 8E B44C D8 B4 DF𣎴𣎴18لك أن كلاU+0644 U+0643 U+0020 U+0623 U+0646 U+0020 U+0643 U+0644 U+0627D9 84 D9 83 20 D8 A3 D9 86 20 D9 83 D9 84 D8 A744 06 43 06 20 00 23 06 46 06 20 00 43 06 44 06 27 06لك أن كلالك أن كلالك أن كلاHtmlEncodemethods in .NET 5System.Net.WebUtility.HtmlEncodeSystem.Web.HttpUtility.HtmlEncode (.NET 5)System.Text.Encodings.Web.HtmlEncoder0abc97 98 9961 62 6361 00 62 00 63 00abcabcabc1<603C3C 00<<<2>623E3E 00>>>3&382626 00&&&4"342222 00"""5'392727 00'''6Ÿ159C2 9F9F 00ŸŸŸ7160C2 A0A0 00   8ÿ255C3 BFFF 00ÿÿÿ9ā257C4 8101 01āāā10~1267E7E 00~~~11| `127` | `7F` | `7F 00` |12£163C2 A3A3 00£££13ÿ255C3 BFFF 00ÿÿÿ14Ḃ7682E1 B8 8202 1EḂḂḂ15128169F0 9F 92 A93D D8 A9 DC💩💩💩16144308F0 A3 8E B44C D8 B4 DF𣎴𣎴𣎴17144308F0 A3 8E B44C D8 B4 DF𣎴𣎴𣎴18لك أن كلا1604 1603 32 1571 1606 32 1603 1604 1575D9 84 D9 83 20 D8 A3 D9 86 20 D9 83 D9 84 D8 A744 06 43 06 20 00 23 06 46 06 20 00 43 06 44 06 27 06لك أن كلالك أن كلالك أن كلا