ASP.NET controls and AntiXss

Question

I'm doing some AntiXSS work. The user inputs some text which is then put through

Microsoft.Security.Application.Encoder.HtmlEncode();

and saved to the database.

This text can then be displayed in either a label or a textbox.

If I put the encoded text into the text property of a label it displays fine. If I assign it to the text property of a textbox it's displayed in it's encoded form.

How can I display the text correctly in the textbox and the label? Does the library offer any decode mechanisms?

Because of project requirements I cannot change either the library or the fact that it's encoded on the input.

Answer 1

You can use Server.HtmlDecode or HttpUtility.HtmlDecode.

Answer 2

You're doing it wrong. You should not HtmlEncode input and save it to database since there is no supported way to decode it. Rather you should save the raw information and encode it when displaying it.

Answer 3

I suggest using GetSafeHtmlFragment for removing all tags and attributes that are not on the white list. Below link will be helpful.

• AntiXSS
• How To