I've got an ASP.NET 4.0 webforms app that uses some gridviews. I'm trying to get the MS Web Protection Library to correctly encode data in the gridview so that it protects against cross-site-scripting issues.
I've added v4.2.1 of the WPL library via NuGet and have added the following to my Web.config
file:
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" executionTimeout="240" maxRequestLength="20480" requestValidationMode="2.0" />
Unfortunately, this doesn't seem to work. The string <b>hi there</b>
isn't correctly coded when outputted from a database to a gridview.
I've done this in the past using a dll called AntiXssModule.dll, but I can't now find any reference to this, and everything seems to point to the WPL instead.
Have I missed something obvious?
This reply may be one year too late, but here is what I found when having a similar problem: The combination of requestValidationMode = 2.0 and encoderType = AntiXssLibrary does not work, I had to change the value of requestValidationMode to 4.0. However, this may cause other problems.
/simon/