8
Vote

AntiXss.GetSafeHtmlFragment adds carriage returns.

description

The line of code:
 
Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment("<p>hello</p>")
 
results in an output of:
 
"\r\n<p>hello</p>\r\n".
 
I can't find any documentation of why this would happen, and if it is intended, why you would want to auto prepend and append carriage returns to a string.

comments

anilkr wrote Jan 15, 2010 at 7:57 PM

This could be because of normalizing the HTML by default.

In the beta version of WPL, we will be adding methods to include new boolean parameter for GetSafeHtmlFragment method to turn the normalization on and off.

Thanks
Anil Revuru

xmen wrote May 2, 2010 at 2:45 AM

Here is workaround

Open HtmlToHtml.cs, set testNoNewLines = true

and open AntiXSS.cs and in GetSafeHtmlFragment, search

output = output.Substring(0, output.Length - 8);

change it to

output = output.Substring(0, output.Length - 6);

and done ;)

NOTE : Its just a workaround, I didn't check it deeply, It may have some unknown bugs. So I take no responsibility of any damage.

NickPetrovits wrote Feb 15, 2012 at 11:44 PM

Why would you normalize the input of these functions by default? The only changes that should be made to the input text are changes to ensure nothing there wasn't a XSS or other attack vector added to the input.

This is incredibly unexpected functionality, and not desirable at all.

Sign in to add a comment or to set email notifications