How do you prevent AntiXssEncoder sending numeric character reference of "Carriage Return" "Line Feed"?

Question

The ASP .Net Mark up with the AntiXssEncoder

<asp:Textbox TextMode="Multiline" runat=server>
First Line
Second Line
</asp:TextBox>

Renders as:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
 <textarea rows="5" >First Line&#13;&#10;Second Line</textarea> 
</body>
</html>

This is not valid HTML5 as a numeric character reference expanded to carriage return. The reason the code is written using the numeric character reference rather than the actual characters is because the page is written in ASP .NET with the AntiXss to be a default HttpEncoder based on this page: http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx.

Removing the AntiXss encoder would solve the problem, but is there a way to keep the AntiXss encoder and prevent it sending numeric character reference of both "Carriage Return" and "Line Feed"?

Answer 1

This can't be prevented in the current version of the project (v4.2.1). There is an outstanding issue on the codeplex project.

Issue: Carriage return encoded as numeric character reference - http://wpl.codeplex.com/workitem/19074