How to use AntiXSS but keep output readable?

Question

I'm using Microsoft's AntiXSS library to HtmlEncode content being displayed on a web page.

The problem is it encodes more than I want it to. For example it encodes the colon ":".

Is there a way to HtmlEncode, but not certain characters?

An example is if I have a string like "RE: email subject line", is it possible to use the AntiXSS library to encode that string but have it not show up as "RE: email subject line". I want the ":" to show up but still want to encode the output.

Update: The problem was that I was using Razor and the "@" already encodes output. So by using both the "@" and the AntiXSS Html.Encode call I was double encoding.

Answer 1

If you are seeing the encoding results on screen as your comments seem to indicate then you are double encoding. : is the colon, and that would be the output of AntiXSS, but something after that is encoding the & to &

What is doing this depends on what you're using. If you're using WebForms then a bunch of the controls will encode Text and other properties by default, and stopping this depends on the control. If you're using MVC the <%: performs encoding of what you're passing before adding it to the output stream. You can either, if you're using MVC3 replace the default encoders (AntiXSS beta 4.1, or roll your own if you don't want to use a beta), or tell MVC you're outputting an already encoding string by outputting an HtmlString.

In .NET 4.5 the core parts of AntiXSS will be built in and configurable via a config switch.