ID

Uploaded

Status

Description

Work Items

Action

6749
by eoftedal
Sep 13, 2010
12:36 PM

Being evaluated

Native JSON requires all non-safe characters to be encoded using unicode (\unnnn instead of \xnn) and that " is used for quotes instead of single quotes.

I've added a new method called JsonEscape(string input, bool emitQuotes) which builds on and behaves like JavascriptEncode except it always uses \unnnn encoding and emits double quotes.

14231

Download

4844
by jk
Jan 6, 2010
8:55 PM

Being evaluated

This patch contains 1 source code file, HtmlWriter.cs, based on the 3.1 release version.

The WriteTagEnd method was incorrectly handling closing out tags which are empty content tags (e.g. IMG, BR, HR, INPUT). The when calling AntiXss.GetSafeHtmlFragment with an input string like <div><img src="javascript:alert(String.fromCharCode(88,83,83))" /></div>, the closing slash was not being emitted in the HtmlWriter, thus creating invalid xhtml (<div><img src=""></div>) instead of the properly closed xhtml (<div><img src="" /></div>

Please contact me if I can provide additional details.
Thanks!
Jeff Knutson
jk@jeffknutson.net

Download

View All
  • 1-2 of 2 Patches
    • Previous
    • 1
    • Next
    • Showing
    • All
    • Patches