AntiXss.HtmlEncode warning :This method has been deprecated. Please use Encoder.HtmlEncode() instead

Question

I'm trying to Use Microsoft AntiXss.HtmlEncode while merging html tags with server side scripting.

Default.aspx

 <h1><asp:Literal ID="litHeader" runat="server" /></h1>

Default.aspx.cs

 litHeader.Text = AntiXss.HtmlEncode(dt.Rows[0]["Header"].ToString());

I keep getting the following warning in my project:

'Microsoft.Security.Application.AntiXss.HtmlEncode(string)' is obsolete: 'This method has been deprecated. Please use Encoder.HtmlEncode() instead.'

It is just a warning, do you think it will make any security issues in the future?

Answer 1

Microsoft has two "AntiXss" packages, the original AntiXss library which was on CodePlex and a newer one with is built into ASP.Net 4.5+ (https://msdn.microsoft.com/en-us/library/system.web.security.antixss(v=vs.110).aspx). It's possible that they are trying to let you know they aren't maintaining the original.

In an effort to make the transition easy (Not!) they have changed the namespace (to System.Web.Security.AntiXss) and method signatures. They also eliminated some functionality (e.g., removing HtmlAttributeEncode(string) and just leaving HtmlAttributeEncode(string, TextWriter))