GetSafeHtmlFragment adding \r\n into tag content

Jan 29, 2010 at 11:46 AM
Edited Jan 29, 2010 at 12:04 PM

I'm using version 3.1.3524.16873 and have noticed some \r\n characters being added into the content of a tag.

var input = "<p>Italian farm which uses seawater to <u>cool</u> some <u>plants</u> and some <u>animals</u></p>";
var output = AntiXss.GetSafeHtmlFragment(input);

gives

"\r\n<p>Italian farm which uses seawater to <u>cool</u> some <u>plants</u> and some <u>\r\nanimals</u></p>\r\n"

See how it has <u>\r\nanimals</u> rather than <u>animals</u>
It isn't specific to underline, it happens if you set <b>animal</b> as well.

Does anyone else get this?

 

Coordinator
Feb 25, 2010 at 6:18 PM

Yes, this is a known issue with Anti-XSS 3.1. We will be looking at this in the upcoming version to provide more options to enable/disable the formatting.

Thanks

RV

From: AndrewNewcomb [mailto:notifications@codeplex.com]
Sent: Friday, January 29, 2010 4:47 AM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: GetSafeHtmlFragment adding \r\n into tag content [AntiXSS:82446]

From: AndrewNewcomb

I'm using version 3.1.3524.16873 and have noticed some \r\n characters being added into the content of a tag.

var input = "

Italian farm which uses seawater to cool some plants and some animals

";
var output = AntiXss.GetSafeHtmlFragment(input);

gives

"\r\n

Italian farm which uses seawater to cool some plants and some \r\nanimals

\r\n"

See how it has \r\nanimals rather than \r\nanimals
It isn't specific to underline, it happens if you set animal as well.

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

May 2, 2010 at 12:55 PM

Any ETA?, you replied on Feb 25

Coordinator
May 3, 2010 at 6:04 PM
xmen wrote:

Any ETA?, you replied on Feb 25

So we completed one sprint internally, which was basically a code tidy up. We're now in a sprint which is around bug fixes in encoding reported by internal and external users and a new WPL plugin architecture, for which we plan to update the source tree, but not provide a binary release. After that then we will be in a position look at the Html sanitization black box - however I can't give firm timescales right now.