Microsoft AntiXSS - Is there a need to Decode?

喜欢而已 提交于 2019-12-06 02:31:29

Yes, I think this is desired output. This is because the script is not executed. If the script would have been executed, an alert would be shown instead of the script tags. So this is safe code.

blowdart

It depends where your input is coming from, and what you want to do with it. A lot of the time the framework decodes for you before you see things - Request.Form, Request.QueryString etc.

If you're reading an encoded string from somewhere else, for example a database then you may want to decode it, otherwise you'll see double encoding, for example;

I 3> AntiXSS encoded once becomes

I 3> AntiXSS which then becomes after double encoding

I 3> AntiXSS

which can have unintended side effects depending on what consumes the output. The act of decoding until the string no-longer changes is an example of canonicalisation.

Brody

You can use the HttpUtility.HtmlDecode method to decode AntiXss encoded text (or any encoded text). No explicit AntiXss decode is required.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!