Strange results when using AntiXss.HtmlEncode

Question

I am trying to limit XSS attacks to a site, and am using the AntiXss Library to encode any untrusted strings before including in the response.

AntiXssEncoder.HtmlEncode(_Title, False)

My database value looks like this - If There's a Fire, which after being encoded shows the html code on screen. Strangely the source code also contains the html code with amp;#39; but browsers shows it as text rather than the correct character.

What am I doing wrong?

score 0 · Answer 1 · answered Nov 20 '14 at 12:22

0

The issue was because the value was being encoded twice

answered Nov 20 '14 at 12:22

DavidB

2,566
3
33
63

score 0 · Answer 2 · answered Nov 20 '14 at 12:23

First,

Properly decode previously Encode values using WebUtility.HtmlDecode(HTMLEncodedValue);

then, If you are showing values in some HTML control like table data<td></td>, use controlID.innerHtml instead of controlID.innerText.

Kindly revert with more details, if it does not help you.

Strange results when using AntiXss.HtmlEncode

2 Answers2