Antixss.htmlencode Vs Antixss.getsafehtmlfragment

July 27, 2023 Post a Comment

Can anyone please let me know the difference between these two? AntiXss.HtmlEncode() vs AntiXss.GetSafeHtmlFragment()

Solution 1:

HtmlEcode actually encodes tags:

AntiXss.HtmlEncode("<b>hello</b><script>");
//Output: &lt;b&gt;hello&lt;/b&gt;&lt;script&gt;

GetSafeHtmlFragment (AntiXss v4.0) returns HTML fragments with tags intact:

Sanitizer.GetSafeHtmlFragment("<b>hello2</b><script>")
//Output: <b>hello2</b>

Update

Many consider the latest version of Microsoft's AntiXSS library broken. I've started using HTML Sanitizer as a decent replacement.

Solution 2:

It should also be mentioned that antixss.GetSafeHtmlFragment does encode characters too. A double quote changes to ". A plus sign turns into + etc.

Solution 3:

I would also add that GetSafeHtmlFragment messes up your CSS, by ading x_ in front of styles, and removes your HTML entity encoding. It is a less than beautiful thing.

Herc

Html5 Dictionary

Antixss.htmlencode Vs Antixss.getsafehtmlfragment

Solution 1:

Update

Solution 2:

Solution 3:

Post a Comment for "Antixss.htmlencode Vs Antixss.getsafehtmlfragment"