0

In a project at work, I've recently been assigned to encode the user input using the AntiXSS library (v. 4.2.1), even though it's as good as abandoned and doesn't even have documentation for the latest version. I looked around a bit and found that I could use something like this for the input: 

<input type="text" value='<%= Microsoft.Security.Application.AntiXss.HtmlEncode() %>' />

Unfortunately, the project I'm working on uses the Knockout library, so if I have:

<input type="text" data-bind="value: Something" />

Would something like this be possible?

 <input type="text" data-bind="value: <%= Microsoft.Security.Application.AntiXss.HtmlEncode(Something) %>" />

Edit: forgot to add that the inputs are handled in the .ascx pages, not .aspx

Ana Ameer
  • 671
  • 11
  • 30

1 Answers1

1

Knockout runs on client side (Javascript) and AntiXSS library on server side. You can't mix this two things. You have to encode your properties in codebehind of your ascx pages after they are sent to the server.

Marian Ban
  • 8,158
  • 1
  • 32
  • 45
  • Oh, from what little I gathered on the internet I assumed I always encoded directly on the input... – Ana Ameer Jul 04 '12 at 13:55
  • @AnaAmeer I don't know what you exactly mean if you say "directly on input" but input encoding/decoding must be performed on the server side because of security risks if you do it on client side. – Marian Ban Jul 04 '12 at 15:03
  • I meant what I wrote on my example; that I had to apply the HtmlEncode() directly on the input value (I've seen at least three examples doing that). I took your advice though, and that solved my problem, so thank you! – Ana Ameer Jul 04 '12 at 15:43