How to write in asp.net web.config httpRuntime for 3.5 framework

StackOverflow https://stackoverflow.com/questions/9064610

Question

This attribute is new in the .NET Framework version 4.0.I have web.config file in solution with 4.0 version of .Net Framework

<system.web>
    <httpRuntime  encoderType="Web.AntiXss.AntiXssEncoder, Web.AntiXss"/>

and this works well, but if i change version to 3.5 i get this erorr

Unrecognized attribute 'encoderType'. Note that attribute names are case-sensitive.

encoderType attribute is only in 4.0 version, how can i rewrite this to 3.5 ?

EDIT
Or how can i use microsoft AntiXss library in .net 3.5 projects ?
I use this article for .net 4.0 http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx

Was it helpful?

Solution

This is only for .Net4

Gets or sets the name of a custom type that 
        can be used to handle HTML and URL encoding.

You must understand that this is an inside change of a function that are called from the core of Net4, this function is not exist on net 3.5 and lower, so its not how they write it, they just not exist.

reference: http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.encodertype.aspx

Some more informations

This parametre actually is an option to replace the class System.Web.Util.HttpEncoder that also exist on Net 3.5, but with out the option of core replace it.

The System.Web.Util.HttpEncoder is all ready very power full, and the Net.4 actually insert some more features. By replace it with the AntiXccEncoder maybe you get some more control but if not, then is not the end of the world (by HG Wells).

Also I check if its possible with some code to replace this call, and seems to me not possible because this is called on too many points, for example its calling on all control attributes !, on url call, on html render, and its so native inside Net4 that is not worth to make so many code to change the HttpEncoder to AntiXccEncoder.

Maybe you need to focus on the page code that you may afraid for attack and be soure to handle the input data correct.

OTHER TIPS

If you are using a version of .NET earlier than 4.5, you will need to download and include the library as a reference to your project, and then use the earlier library name for the encodeType setting as shown below.

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" />
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top