I am developing web application on ASP.NET and I am getting textarea input from users and later display this input on website. While saving input into database I am not encoding input and directly write them into db.
If input contains "enter" I don't want to lose line breaks. So I am replacing data like that:
Replace("\r\n", "<br />")
And to prevent XSS attack before displaying I am encoding data using Microsoft's AntiXSS library's Microsoft.Security.Application.Encoder.HtmlEncode function.
This function also encodes "<br/>" and on screen I don't have any line break.
If I encode first with AntiXSS and then replace "\r\n" with "<br/>" I am not getting any line break as well, since AntiXSS I think removes "\r\n".
If I use Server.HtmlEncode and then replace "\r\n" with "<br/>" then everything is fine. But I want to use AntiXSS library and I don't know how to achieve this.
Is there any way to print line breaks using AntiXSS HtmlEncode function?
Thanks
``` is encoded, can't you then just replace the encoded ```
``` with a decoded version? e.g. ```Replace("<br/>","
")```? – Caleb Brinkman Oct 02 '15 at 16:10