The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided?
For example
Before applying AntiXSS:
lblName.Text = "ABC" + "<script> alert('Inject'); </script";
After applying AntiXSS:
lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script");
So, after applying the encoding, the HTML tags show up in my Label control.
Is this the desired outcome?
Yes, I think this is desired output. This is because the script is not executed. If the script would have been executed, an alert would be shown instead of the script tags. So this is safe code.
It depends where your input is coming from, and what you want to do with it. A lot of the time the framework decodes for you before you see things - Request.Form, Request.QueryString etc.
If you're reading an encoded string from somewhere else, for example a database then you may want to decode it, otherwise you'll see double encoding, for example;
I 3> AntiXSS encoded once becomes
I 3> AntiXSS which then becomes after double encoding
I 3&gt; AntiXSS
which can have unintended side effects depending on what consumes the output. The act of decoding until the string no-longer changes is an example of canonicalisation.
You can use the HttpUtility.HtmlDecode method to decode AntiXss encoded text (or any encoded text). No explicit AntiXss decode is required.
来源:https://stackoverflow.com/questions/3774776/microsoft-antixss-is-there-a-need-to-decode