Question

Heyy all!

I'm using asp.net mvc 3 and AntiXssLibrary 4.2 and I try to encode some text with single or duble quotes and the problem is that I get ' " instead of ' or " and in Hebrew they are very useful (like רמב"ם or צ'ק). I know that there are included on the hebrew and default parameter on this method:

UnicodeCharacterEncoder.MarkAsSafe(
        LowerCodeCharts.Default | LowerCodeCharts.Hebrew,
        LowerMidCodeCharts.None,
        MidCodeCharts.None,
        UpperMidCodeCharts.None,
        UpperCodeCharts.None);

I try all the encoding methods with no expected result.

EDIT:

for my second problem that I try to put on my view a html string like this

return new HtmlString(Encoder.HtmlEncode(resFile));

and i get all the html format instead the rendered page, the problem was that microsoft move the GetSafeHtml() method to the HtmlSanitizationLibrary assembly - I find it on this answer and I download it from here. Now I can use it like this

return new HtmlString(Sanitizer.GetSafeHtml(questionsAnswerString));

After that of course I added the reference

using Microsoft.Security.Application;

Now I'm stuck with those qoutes' any help?

Was it helpful?

Solution 2

I'm sorry for the hassle but impossible to put these characters whitelist. we can see hare on Microsoft Reference Source of MarkAsSafe . he call ApplyHtmlSpecificValues() and there we can see

    private static void ApplyHtmlSpecificValues() {
        characterValues['<'] = "lt".ToCharArray();
        characterValues['>'] = "gt".ToCharArray();
        characterValues['&'] = "amp".ToCharArray();
        characterValues['"'] = "quot".ToCharArray();
        characterValues['\''] = "#39".ToCharArray();
    }

Anyway they keep these characters so you can not get them after encoding.

So the only solution I have seen fit to call this function is always from one place and after its execution just changed the character back :(

return Encoder.HtmlEncode(input).Replace("&quot;", "\"").Replace("&#39;", "'");

10x ;)

OTHER TIPS

Ok, if you get &#039; &quot; on the html page that is rendered, then it occurs to me that you are running in to the problem of double html encoding.

To replicate your situation, copy and paste the Replication: code in one of your views, and see the problem for yourself.

HtmlString and MvcHtmlString are not supposed to encode a html string that is already encoded. So in your case either the

return new HtmlString(Encoder.HtmlEncode(resFile));

or

Sanitizer.GetSafeHtml(questionsAnswerString)

is returning a string that is Html encoded, and after which in the view you are actually encoding it one more time.

This may happen because in your view which is actually rendering your content, you are using the razor

@alreadyHtmlEncodedString 
// razor's @ syntax html encodes the given string 
//(irrespective of the fact that the given string is not html encoded 
//or the given string is html encoded already or whatever. 
//it just encodes the given string)

or the aspx

<%:alreadyHtmlEncodedString%> 
// aspx's <%: %> html encodes the given string 
//(irrespective of the fact that the given string is not html encoded 
//or the given string is html encoded already or whatever. 
//it just encodes the given string)

So, if that is the case. Either use Html.Raw for the string that is already html encoded. Or just rely on the @ syntax of razor for the unsafe non html encoded string, whichever is your way to go.


  • Replication:

Below is some code for replicating your scenario, if it helps. And a sample output as well as an image. Put the below code in one of your views.

@{string quotes = @"'""";
  string quotesHtmlEncoded = Html.Encode(@"'""");
  string hebrew = @"like רמב""ם or צ'ק";
  string hebrewHtmlEncoded = Html.Encode(@"like רמב""ם or צ'ק");
  string sampleXss = "<script>alert('1')</script>";
  string sampleXssHtmlEncoded = Html.Encode("<script>alert('1')</script>");
}

<table border="1">
    <thead>
        <tr>
            <th></th>
            <th>razor @@
            </th>
            <th>Raw
            </th>
            <th>MvcHtmlString.Create
            </th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>quotes
            </td>
            <td>
                @quotes
            </td>
            <td>
                @Html.Raw(quotes)
            </td>
            <td>
                @MvcHtmlString.Create(quotes)
            </td>
        </tr>
        <tr>
            <td>quotesHtmlEncoded
            </td>
            <td>
                @quotesHtmlEncoded
            </td>
            <td>
                @Html.Raw(quotesHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(quotesHtmlEncoded)
            </td>
        </tr>
        <tr>
            <td>hebrew
            </td>
            <td>
                @hebrew
            </td>
            <td>
                @Html.Raw(hebrew)
            </td>
            <td>
                @MvcHtmlString.Create(hebrew)
            </td>
        </tr>
        <tr>
            <td>hebrewHtmlEncoded
            </td>
            <td>
                @hebrewHtmlEncoded
            </td>
            <td>
                @Html.Raw(hebrewHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(hebrewHtmlEncoded)
            </td>
        </tr>
        <tr>
            <td>sampleXss
            </td>
            <td>
                @sampleXss
            </td>
            <td>
                @Html.Raw(sampleXss)
            </td>
            <td>
                @MvcHtmlString.Create(sampleXss)
            </td>
        </tr>
        <tr>
            <td>sampleXssHtmlEncoded
            </td>
            <td>
                @sampleXssHtmlEncoded
            </td>
            <td>
                @Html.Raw(sampleXssHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(sampleXssHtmlEncoded)
            </td>
        </tr>
    </tbody>
</table>

sample output image

.doubleEncodedHtml

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top