why does MS anti xss library (v4) remove html 5 data attributes

Question

AntiXss library seems to strip out html 5 data attributes, does anyone know why?

I need to retain this input:

<label class='ui-templatefield' data-field-name='P_Address3' data-field-type='special' contenteditable='false'>[P_Address3]</label>

The main reason for using the anti xss library (v4.0) is to ensure unrecognized style attributes are not parsed, is this even possible?

code:

var result = Sanitizer.GetSafeHtml(html);

EDIT:

The input below would result in the entire style attributes removed

Input:

var input = "<p style=\"width:50px;height:10px;alert('evilman')\"/> Not sure why is is null for some wierd reason!<br><p></p>";

Output:

var input = "<p style=\"\"/> Not sure why is is null for some wierd reason!<br><p></p>";

Which is fine, if anyone messes around with my code on client side, but I also need the data attribute tags to work!

Answer 1

I assume you mean the sanitizer, rather than the encoder. It's doing what it's supposed to - it simply doesn't understand HTML5 or recognise the attributes, so it strips them. There are ways to XSS via styles.

It's not possible to customise the safe list either I'm afraid, the code base simply doesn't allow for this - I know a large number of people want those, but it would take a complete rewrite to support it.