<MarkAntiXssOutput Enabled="True" Color="Yellow"> does not cause the encoded markup to be marked


Thanks for your work on this library and HttpModule.
Looking through the source code it appears that you have to add a querystring parameter of "MarkAntiXssOutput" in order to get the output to be colored. You can see this in AntiXSSLibrary, AntiXss.cs, line 214: if (HttpContext.Current.Request.QueryString["MarkAntiXssOutput"] != null)...
It appears in looking through the source code that this check could be removed, since the only place I see it called is in the httpmodule in PageProtection, where the configuration section is checked:
if (objConfig.MarkAntiXssOutput == true || blnMarkAntiXssOutput == true)
            output = AntiXss.HtmlEncode(output, objConfig.MarkAntiXssOutputColor.ToKnownColor());
Closed Mar 16, 2009 at 8:33 PM by anilkr
Design Behavior


jlesch wrote Jan 27, 2009 at 11:56 PM

I noticed this in the help file (sorry, I missed it before):

Using this feature in the ASP.NET Web application includes following two steps:
You include the overloaded method in your source code.

You invoke MarkAntiXSSOutput by passing it as a parameter in a url.

But I think that people are very likely to assume that if they set a flag called "Enabled" to True in the configuration file it will be enabled without adding a querystring parameter (in the case of only using the httpmodule).

anilkr wrote Feb 23, 2009 at 5:43 PM

Correct, it is a two step process. You need to enable it in the config and pass the querystring parameter. The mark antixss output feature was specially for test teams to visually validate a page to see where antixss encoding is used on the page. By using a two step approach while not testing the page would appear normal for other users not breaking any other visual elements.

Anil RV