Heyy all!
I'm using asp.net mvc 3 and AntiXssLibrary 4.2 and I try to encode some text with single or duble quotes and the problem is that I get ' " instead of ' or " and in Hebrew they are very useful (like רמב"ם or צ'ק). I know that there are included on the hebrew and default parameter on this method:
UnicodeCharacterEncoder.MarkAsSafe(
LowerCodeCharts.Default | LowerCodeCharts.Hebrew,
LowerMidCodeCharts.None,
MidCodeCharts.None,
UpperMidCodeCharts.None,
UpperCodeCharts.None);
I try all the encoding methods with no expected result.
EDIT:
for my second problem that I try to put on my view a html string like this
return new HtmlString(Encoder.HtmlEncode(resFile));
and i get all the html format instead the rendered page, the problem was that microsoft move the GetSafeHtml() method to the HtmlSanitizationLibrary assembly - I find it on this answer and I download it from here. Now I can use it like this
return new HtmlString(Sanitizer.GetSafeHtml(questionsAnswerString));
After that of course I added the reference
using Microsoft.Security.Application;
Now I'm stuck with those qoutes' any help?
I'm sorry for the hassle but impossible to put these characters whitelist.
we can see hare on Microsoft Reference Source of MarkAsSafe .
he call ApplyHtmlSpecificValues() and there we can see
private static void ApplyHtmlSpecificValues() {
characterValues['<'] = "lt".ToCharArray();
characterValues['>'] = "gt".ToCharArray();
characterValues['&'] = "amp".ToCharArray();
characterValues['"'] = "quot".ToCharArray();
characterValues['\''] = "#39".ToCharArray();
}
Anyway they keep these characters so you can not get them after encoding.
So the only solution I have seen fit to call this function is always from one place and after its execution just changed the character back :(
return Encoder.HtmlEncode(input).Replace(""", "\"").Replace("'", "'");
10x ;)