Reputation: 2588
AntiXss.HtmlEncode vs AntiXss.GetSafeHtmlFragment
Can anyone please let me know the difference between these two?
AntiXss.HtmlEncode() vs AntiXss.GetSafeHtmlFragment()
Upvotes: 5
Views: 21376
Answers (3)
Reputation: 8583
HtmlEcode actually encodes tags:
AntiXss.HtmlEncode("<b>hello</b><script>");
//Output: <b>hello</b><script>
GetSafeHtmlFragment (AntiXss v4.0) returns HTML fragments with tags intact:
Sanitizer.GetSafeHtmlFragment("<b>hello2</b><script>")
//Output: <b>hello2</b>
Update
Many consider the latest version of Microsoft's AntiXSS library broken. I've started using HTML Sanitizer as a decent replacement.
Upvotes: 9
Reputation: 71
It should also be mentioned that antixss.GetSafeHtmlFragment does encode characters too. A double quote changes to ". A plus sign turns into + etc.
Upvotes: 7
Reputation: 51
I would also add that GetSafeHtmlFragment messes up your CSS, by ading x_ in front of styles, and removes your HTML entity encoding. It is a less than beautiful thing.
Herc
Upvotes: 5
Related Questions
- What is difference between WebUtility.HtmlEncode and AntiXssEncoder.HtmlEncode?
- What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?
- Microsoft AntiXSS - Is there a need to Decode?
- What is the difference between HttpUtility.HtmlEncode and Server.HtmlEncode
- AntiXSS JavaScriptEncode gets HTML encoded?
- Using AntiXss to encode html Attribute in mvc
- What is the difference between html.AttributeEncode vs html.Encode?
- Examples of XSS vulnerabilities that get by ASP.NET 4 <%: %> or Razor encoding but are caught by AntiXSS
- ASP.NET MVC 2 - AntiXSS vs Built In MVC Encoding
- AntiXss.UrlEncode vs. AntiXss.HtmlAttributeEncode usage in link (a href)