AntiXssLibrary 4.0, MVC3, and some unwanted encodings

Jun 24, 2011 at 9:24 PM

I'm using Phil Haack's method from his article,, to make the AntiXssLibrary (4.0) the default encoder for my app.

In MVC3, everything get's encoded by default, except for those strings inheriting from HtmlString. Phil's Encoder class does not do anything to shield the AntiXssLibrary from these, but if the library didn't understand this to some point it would be completely Html Encoding the string, so I assume the XSS library handles this to a point...

I'm running into an issue though where the content of a textarea field in MVC3 is always prefixed with an Environment.NewLine (\r\n). When the AntiXssLibrary is set as the encoder, this get's encoded for some reason, so my textareas are always showing up with an extra newline before any content that should be there (If it is not encoded, the browser simply ignores the newline).

I've been hunting through code, and I'm unsure if this is something I can change or not... I'm assuming it is the TagBuilder class in the MVC project calling a .HtmlEncode on the contents of the tag, and perhaps the default encoder doesn't encode \r\n, but the AntiXssLibrary DOES and that's why I'm seeing this? Any ideas for how to get around it?

Jun 24, 2011 at 9:41 PM

After hunting through code, I've found that the way the MVC HtmlHelper functions in MVC3 does indeed add the newline before the HtmlEncode on the contents, resulting in this bug. I submitted it to them, along with a fix.

Feb 10, 2012 at 10:14 AM


just faced same issue. Do you have information when it is planned to be fixed?