3

We have an ASP.Net Webforms (.Net 4.7.2) site. We've enabled the built-in XSS protection by adding to web.config:

   <httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" ... />

This works fine, apart from in one place: we have some code that generates a small image, and embeds it within the page using a Data URI:

(aspx)

<asp:Image ID="image1" runat="server">

(C#)

  image1.ImageUrl = dataURI;

and dataURI is normally something like:

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMMAAADDAQMAAAA ...

This works fine without the AntiXssEncoder, but with that in place the rendered HTML turns into:

<img id="image1" src="data%3Aimage/png%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA ...

... so the unsafe characters in the "header" of the src has been encoded, and the image doesn't display on the browser.

How can I disable the AntiXssEncoder for this one image object, or otherwise force the Data URI to get to the browser without being re-encoded? There is no user input on this particular page.

KenD
  • 5,280
  • 7
  • 48
  • 85

1 Answers1

1

One way is to "do it yourself". Reference: https://stackoverflow.com/a/7406983/11534

Bascially

  1. Declare a public property in your code-behind file with the image data. Let's say "ImageData" (public string ImageData {get;set;}) and set it to hold the base64 data.
  2. Replace <asp:Image ID="image1" runat="server"> with <img src="<% =ImageData %>" />
flytzen
  • 7,348
  • 5
  • 38
  • 54