Html Link output being encoded

Jul 29, 2010 at 1:01 PM
Edited Jul 29, 2010 at 1:08 PM

I may be missing something here. Following on from [1].

In my MVC 2 application I add the following to my web.config:
<httpRuntime encoderType="Microsoft.Security.Application.Encoded.Net4.AntiXssEncoder, Microsoft.Security.Application.Encoded.Net4" />

Then create a view:

<link href="/content/style.css" media="screen" rel="stylesheet" type="text/css" />

Hitting the page gives:

<link href="&#47;content&#47;style.css" media="screen" rel="stylesheet" type="text/css" />

Because it adds "&#47;" in place of the "/" it means this link never works. So clearly the entry into the web.config encodes elements within every page in the application.

Is this expected behaviour - why would you ever want to do this? Trying to figure out best practice in using this excellent library :=)



Jul 29, 2010 at 1:31 PM

Oh that's quite strange, I didn't realise it would get into the link tags. In theory that is actually valid - is it failing in all browsers?

The next CTP will have new AntiXSS code which is slightly less zealous with punctuation and will leave / characters alone. It's currently undergoing testing - so expect to see a code drop within the next 2-3 weeks, depending on how the testing goes and my own work load. Until then I'd steer clear of replacing the default encoder with Phil's code.


Jul 29, 2010 at 1:50 PM
Hi Barry. Same behaviour in IE, Chrome. I agree - it is theoretically correct but I doubt it is the intention. Next code drop is great for me. Will comment out the default encoding for now and just use directly where needed. thanks.