use of string in place of URL (in anti XSS)

1.1k views Asked by At

I need to find a way to implement encoding.

Since HTML Encoding is not working, hence I am using:

using System.Web.Security.AntiXss;

and then:

AntiXssEncoder.UrlEncode(**Iam passing string here**)

This measure resolves my issue(Positive results in HP Fortify), however I am concerned since instead of URL I am using string. Would this result into any impediments?

1

There are 1 answers

0
Samer Khatib On
using System.Web.Security.AntiXss;

and then:

string Comment= AntiXssEncoder.XmlAttributeEncode(passing string here);

or to accept HTML tags that put text in bold or italics; check content manually.

    public static bool DangerousContent (string text)
    {
        bool Status = false;
        if (
            text.Contains("<body>") ||
            text.Contains("<embed>") ||
            text.Contains("<frame>") ||
            text.Contains("<script>") ||
            text.Contains("<frameset>") ||
            text.Contains("<html>") ||
            text.Contains("<iframe>") ||
            text.Contains("<style>") ||
            text.Contains("<layer>") ||
            text.Contains("<link>") ||
            text.Contains("<ilayer>") ||
            text.Contains("<meta>") ||
            text.Contains("<meta>") ||
            text.Contains("<applet>")
           )//can add more
        {
            Status = true; 
        }
        return Status;
    }