HtmlAttributeEncode encodes spaces?

Mar 14, 2011 at 10:05 PM

I am using HtmlAttributeEncode in the latest AntiXSS library to write out some CSS classes, separated by spaces.  Although all I've read says that HtmlAttributeEncode leaves spaces alone (http://msdn.microsoft.com/en-us/library/wdek0zbf.aspx, etc.) when I run it against something like "a b" I get "a b".  I saw on another page (http://idunno.org/archive/2010/07/19/Upcoming-changes-to-AntiXSS.aspx), though, that HtmlAttributeEncode does encode spaces and apostrophes (I've verified that to be true in my case).  I am manually undoing the encoding of those 2 characters, but, I was wondering if there is some other setting I need to make to ensure I don't have to work against the encoding API.  I tried setting UnicodeCharacterEncoder.MarkAsSafe to only Basic Latin to no avail.  Is there something else I'm missing?

Thanks,

Brad

Coordinator
Mar 14, 2011 at 10:10 PM

The other page is correct (that's my ramblings/blog)

AntiXSS is always going to be more broad in what it encodes I'm afraid, that's just the nature of it. You could manually change the code to safe-list those characters, but it would affect HTMLEncode and XML*Encode as well, and is, of course, unsupported. There shouldn't be any side effects from leaving it as is, aside from gaining 4 more bytes.

Mar 14, 2011 at 10:45 PM

Hello bdorrans!  The side affect I'm seeing is that any CSS styles I am using are not being picked up by the HTML.  I see this in IE8 & Chrome.  When I use the debugger in Chrome to edit the class to remove the encoded space, replacing with a normal space, the styles show up.  For example if I have styles for both classes a and b, if the class is set like so in the encoded html:  <span class="a&#32;b">hey</span>  then neither a nor b class styles show up.

Coordinator
Mar 14, 2011 at 10:47 PM

Ah how very strange, the RFCs say it should work.

Mar 14, 2011 at 11:22 PM

Well, it could be I am just missing something. This may be an instance of double-encoding happening.... I'll double-check.

Mar 14, 2011 at 11:45 PM

Yup, double-encoding.  Sorry to be of trouble.

Coordinator
Mar 14, 2011 at 11:46 PM

No problem :) Glad it's working for you!

Nov 30, 2011 at 12:38 PM

Hi, bradster.

What did you mean saying "double-encoding"?

It looks like even following simple case involves Unicode characters instead of space:

string encodedString = Microsoft.Security.Application.Encoder.HtmlAttributeEncode("cssClass1 cssClass2");

//encodedString == "cssClass1&#32;cssClass2"

Thanks in advance!