Anti-Xss Module configuration file does not work properly


I have a site (.Net 3.5) where I want to use the Anti-Xss module. I was looking at the code and I've seen that it has a lot of "span" tag that are runat server. While doing my test, I used the default configuration file (antixssmodule.config) having almost all controls inside the config. It was still showing the html as html. Then I tried to add the following line inside the config file:
<ControlEncodingContext FullClassName="System.Web.UI.HtmlControls.HtmlGenericControl" PropertyName="InnerHtml" EncodingContext="Html" />
Because "span" is a "HtmlGenericControl", I was pretty sure that would work but it doesn't. Is there any reason why it would not work?
Thank you in advance.
Closed Oct 24, 2009 at 1:19 AM by anilkr
Not fixable at this point in SRE.


anilkr wrote Dec 16, 2008 at 6:08 PM

Encoding HtmlGenericControl.InnerHtml would cause the entire html to be encoded. I would recommend specifying exact control which needs to be encoded. At this point in time only higher level ASP.NET controls work correctly with SRE, controls like Label, LinkButton, Checkbox etc. In essence, it is not a problem with the configuration file or your configuration, it is just that encoding specific low level controls would cause issues.

Nordes wrote Dec 16, 2008 at 6:38 PM

Ok I see. I missed the fact that "span" is a really low level control (my bad). I imagine that in this case it would be better to replace those "span" by a real ASP.Net control.