Forum Member
Microsoft's AntiXSS Library
Hi,
Does anyone have experience with Microsoft's AntiXSS library (http://www.microsoft.com/downloads/details.aspx?familyid=efb9c819-53ff-4f82-bfaf-e11625130c25&displaylang=en)
If I have an iframe what should I use to encode the src attribute.
Should I use HtmlAttributeEncode(), or UrlEncode()? I suppose I could use HtmlAttributeEncode( UrlEncode( ) ) but the documentation cautions against using more the one encoding.
Any insights greatly appreciated.
Paul
Red Fox UK Limited (Director)
URLEncode should be used to encode URLs (IFRAME SRC would be a URL).
HTMLEncode should be used to encode HTML (so if a user set their "display name" as <script>alert('bad things');</script>, the symbols are encoded into HTML entities and thus the script doesn't run wherever the users display name is shown, only prints).
Warren Ashcroft
Red Fox UK Limited - Pioneers in Internet Technology
http://www.redfoxuk.com
w.ashcroft [at] redfoxuk.com
NOTE: Forum Private Messaging should not be used to contact staff with support queries.
CookingFat (19th August 2008)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
Bookmarks