How to use in WebAPI 2?

Feb 17, 2015 at 3:27 PM
Hi,

It's not clear which classes are overridden by AntiXSS in relation to .Net WebAPI 2.

Should I use HttpUtility?

Paul
Coordinator
Feb 17, 2015 at 3:46 PM
WebAPI doesn't (generally) spit out HTML, so there's no actual need for encoding.
Feb 17, 2015 at 3:59 PM
I'm using WebAPI to serve a Single Page Application.

I want to encode all values that are contained in the models using HTML, URL and JavaScript encoding where appropriate.

My understanding is that all rendered values should be encoded to prevent XSS attacks.

Paul
Coordinator
Feb 17, 2015 at 4:38 PM
That's not how you should be doing it. Models should contain data. The data is then inserted into existing or newly created elements by the calling javascript. When done like this there's no need for encoding, as the browser takes care of it.

For example (with jquery)

$('#example').text("<xss?>");

Would encode the < and > correctly for the context of that element.

If you insist on trying to construct elements by string concatenation or you believe you must send HTML (and frankly this should be a rare case) then you should use HttpUtility.HtmlEncode(""); and configure AntiXSS as the encoder via web.config (or use the built in version in .NET 4.0 and above)
Feb 17, 2015 at 4:53 PM
Thanks, I understand now.

Paul