1

I have a few questions regarding how to use AntiXss in my .Net project (not an MVC project. Traditional .Net project and contains .aspx and .ascx web pages).

1) Is my following approach correct :- My initial code in aspx.cs file (without AntiXss) :

int ID;
 if (int.TryParse(Request.QueryString["ID"], out ID))
  {
                  IDHdn.Value = ID.ToString();
                  IDLbl.Text = IDHdn.Value;
   }

My current code in aspx.cs file (after implementing AntiXss) :

using System.Web.Security.AntiXss;

 int ID;
 if (int.TryParse(Request.QueryString["ID"], out ID))
  {
                  IDHdn.Value = ID.ToString();
                  IDLbl.Text = AntiXssEncoder.HtmlEncode(IDHdn.Value,true);
   }

Is this the correct approach? When is HtmlDecode required? Will it be required in my case? . . . .

2) Which AntiXss method to use for encoding Request.Form values?

For e.g) 

string nameList = Request.Form["name"];

How to encode above code using AntiXss library?

Currently I'm simply doing the following :

string nameList = HttpUtility.HtmlEncode(Request.Form["name"]);

How to do the same using AntiXss library?

. . . .

3) Will adding the following in web.config affect other encoders being used (like HttpUtility) in my application?

  <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />

....

4) What's the difference between : 

  IDLbl.Text = AntiXssEncoder.HtmlEncode(IDHdn.Value,true); //true

and

  IDLbl.Text = AntiXssEncoder.HtmlEncode(IDHdn.Value,false); //false
Mr.Human
  • 547
  • 2
  • 12
  • 30

0 Answers0