Reputation: 131
How to use AntiXSS in WebAPI?
I'm not clear on how to use the AntiXSS library in my .Net WebAPI 2 project.
I have installed the AntiXSS NuGet package (which gives me v4.3), and have set the encoderType property of httpRuntime in web.config.
Which class should I now use to take advantage of AntiXSS? Does it override the behaviour of System.Web.HttpUtility?
Upvotes: 4
Views: 2558
Answers (1)
Reputation: 131
If using the AntiXSS NuGet package, the correct use is to use Microsoft.Security.Application.Encoder.
According to bdorrans of the MS Web Protection Library (AntiXSS) project, you can indeed use HttpUtility once encoderType is set.
However, it shouldn't normally be a concern to encode output from an API. My scenario is that I'm serving a Single Page Application, and was worried I was injecting unsafe values in to the page via my model. But unless injecting values via .html() or .eval(), any malicious values will not be executed on the client.
Upvotes: 3
Related Questions
- AntiXSS in .NET Framework 4.7 web application - how to apply it
- Prevent XSS on webapi
- How to use AntiXSS library in ASP.NET 4.5
- How to use AntiXss with a Web API
- How to use Microsoft AntiXss 4.x?
- Xss Support - ASP.Net web api
- System.Web.Security.AntiXss missing methods
- How to config AntiXSS with .Net 3.5?
- Microsoft AntiXSS wpl using in asp.net mvc3 applicaton
- How to use AntiXss in my Project?