1

Closed

<MarkAntiXssOutput Enabled="True" Color="Yellow"> does not cause the encoded markup to be marked

description

Thanks for your work on this library and HttpModule.
Looking through the source code it appears that you have to add a querystring parameter of "MarkAntiXssOutput" in order to get the output to be colored. You can see this in AntiXSSLibrary, AntiXss.cs, line 214: if (HttpContext.Current.Request.QueryString["MarkAntiXssOutput"] != null)...
It appears in looking through the source code that this check could be removed, since the only place I see it called is in the httpmodule in PageProtection, where the configuration section is checked:
if (objConfig.MarkAntiXssOutput == true || blnMarkAntiXssOutput == true)
            output = AntiXss.HtmlEncode(output, objConfig.MarkAntiXssOutputColor.ToKnownColor());
Closed Mar 16, 2009 at 7:33 PM by anilkr
Design Behavior

comments

jlesch wrote Jan 27, 2009 at 10:56 PM

I noticed this in the help file (sorry, I missed it before):

Using this feature in the ASP.NET Web application includes following two steps:
You include the overloaded method in your source code.
Example:
AntiXss.HtmlEncode(request.QueryString["location"],System.Drawing.KnownColor.Yellow)

You invoke MarkAntiXSSOutput by passing it as a parameter in a url.
Example:
http://www.foosite.com/default.aspx?MarkAntiXSSOutput=true

But I think that people are very likely to assume that if they set a flag called "Enabled" to True in the configuration file it will be enabled without adding a querystring parameter (in the case of only using the httpmodule).

anilkr wrote Feb 23, 2009 at 4:43 PM

Correct, it is a two step process. You need to enable it in the config and pass the querystring parameter. The mark antixss output feature was specially for test teams to visually validate a page to see where antixss encoding is used on the page. By using a two step approach while not testing the page would appear normal for other users not breaking any other visual elements.

Thanks
Anil RV