AntiXSS 4.2.1 Problem

Feb 7, 2012 at 8:29 AM


I tried to antixss library for a test. I add AntiXssLib reference and add to my config file following line 

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

 My code was that

<script type="javascript">

var myVar='<%: Request.QueryString[0]%>'



When I set QueryString[0]  parameter to

http://localhost/?myVar=\x3cscript %20defer\x3edocument.location%3D+\x27\x27;\r\n\x3c/script\x3e
my page goes google unfotunately. What is the wrong?
Feb 7, 2012 at 3:31 PM

<%: is for HTML encoding, you're outputing javascript and then adding it as a div, so really you need to manually HTML encode, and then JavaScript encode before outputting it. And then of course jquery's .html is going to decode it anyway.

Why don't you assign it directly to the div in the view? (assuming we're talking MVC, it's hard to tell here)