none
MS Anti XSS SRE 4.3.0 Encoder.HtmlEncode() method encodes valid greece characters RRS feed

  • Question

  • I am using Encoder.HtmlEncode() method provided by MS Anti XSS SRE 4.3.0  to encode malicious characters entered by user.

    It is working fine for all languages except Greece. It encodes valid Greece language characters, below is the example for the same.

    User Input: Βρείτε το κατάλληλο προϊόν

    Out Put After Encoding: Βρείτε το κατάλληλο προϊόν

    As you can see in above example all characters entered by user are encoded which we don't want to encode.

    Please help with the option to escape particular language valid characters from encoding.

    Thank you !!!

    Thursday, November 7, 2019 11:08 AM

Answers

  • Hi Durgesh,

    Thanks for your feedback.

    The class you are using is “Microsoft.Security.Application.AntiXssEncoder”, but the class cheong00 says is ” System.Web.Security.AntiXss.AntiXssEncoder”.

    They have the same class name, I have explained the usage of these two classes in the previous reply, you can refer to it.

    And for your last question, use ‘|’ instead of ‘||’.

    Hope this could be helpful.

    Best Regards,

    Timon


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Durgesh More Monday, November 11, 2019 10:08 AM
    Monday, November 11, 2019 7:07 AM
  • Oh, my mistake. It should indeed be "|" instead of "||".

    And yes, for "Microsoft.Security.Application" it should use UnicodeCharacterEncoder.MarkAsSafe() to specify the range that the function do not need to encode.

    Refer to the comment by Levi on behalf of ASP.NET team for why we should use "System.Web.Security.AntiXss" version over "Microsoft.Security.Application".
    • Edited by cheong00Editor Monday, November 11, 2019 8:13 AM
    • Marked as answer by Durgesh More Monday, November 11, 2019 10:07 AM
    • Unmarked as answer by Durgesh More Friday, November 15, 2019 1:56 PM
    • Marked as answer by Durgesh More Friday, November 15, 2019 1:56 PM
    Monday, November 11, 2019 8:07 AM
    Answerer

All replies

  • Thursday, November 7, 2019 2:19 PM
    Answerer
  • Thank you for your reply.

    I did tried to use MarkAsSafe() method of AntiXssEncoder class in Application_Start event of Global.asax file.

    It is showing me error "AntiXssEncoder does not contain defination for MarkAsSafe". I think it supports Dot Net framework 4.0 only and we are using Dot Net framework 4.5.

    Please advice how can I solve this issue.

    Thank you !!!

    Friday, November 8, 2019 7:44 AM
  • Hi Durgesh,

    Thank you for posting here.

    After my search, I found AntiXSSLibrary.dll seems to have been deprecated.

    And I tested this dll, it seems to not support Greek at all.

    I suggest you replace Microsoft.Security.Application.Encoder with System.Web.HttpUtility HttpUtility or System.Web.Security.AntiXss.AntiXssEncoder.

    They have better support for Greek, but there are still some problems, they can't parse these characters: ϊ, ό, etc.

    Here is the code:

                String str = "Βρείτε το κατάλληλο προϊόν";
    
                //System.Web.HttpUtilit
                String data = System.Web.HttpUtility.HtmlEncode(str);
                Console.WriteLine("HttpUtility:   " + data);
    
                //System.Web.Security.AntiXss.AntiXssEncoder
                AntiXssEncoder.MarkAsSafe(LowerCodeCharts.GreekAndCoptic, LowerMidCodeCharts.Runic,
                    MidCodeCharts.GreekExtended, UpperMidCodeCharts.None, UpperCodeCharts.None);
    
                String data1 = AntiXssEncoder.HtmlEncode(str, false);
                Console.WriteLine("AntiXssEncoder:" + data1);

    Result:

    Maybe there are other dlls that have better support for Greek.

    You can ask this question in the Greek technical forum, where programmers may have more experience.

    Edit:

    I tested AntiXSSLibrary again and found a class that I didn't notice before: UnicodeCharacterEncoder.

    You can use it like this:

      
                UnicodeCharacterEncoder.MarkAsSafe(Microsoft.Security.Application.LowerCodeCharts.GreekAndCoptic,
                    Microsoft.Security.Application.LowerMidCodeCharts.None,
                    Microsoft.Security.Application.MidCodeCharts.GreekExtended, 
                    Microsoft.Security.Application.UpperMidCodeCharts.None, 
                    Microsoft.Security.Application.UpperCodeCharts.None);
                String data = Encoder.HtmlEncode(str);
                Console.WriteLine(data);

    But it still can't parse those special characters.

    Hope this helpful.

    Best Regards,

    Timon


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.




    Friday, November 8, 2019 7:50 AM
  • Humm... It should exists in .NET Framework v4.5.

    Try move it inside the page you want to process the data and see whether it works.

    Or maybe you should check it under "Object Browser" of your Visual Studio and see if that method actually exists on your version. If not then consider deploy a newer version that supports .NET v4.5 .

    Friday, November 8, 2019 9:34 AM
    Answerer
  • LowerCodeChart is flag, you need to or (||) .GreekAndCoptic and .Default to make the method work properly. (Without .Defualt you missed .SpacingModifierLetters which caused the above problem) 

    AntiXssEncoder.MarkAsSafe(LowerCodeCharts.Default || LowerCodeCharts.GreekAndCoptic,
        LowerMidCodeCharts.Runic, MidCodeCharts.GreekExtended,
        UpperMidCodeCharts.None, UpperCodeCharts.None);
    


    Friday, November 8, 2019 9:40 AM
    Answerer
  • Thank you for your reply.

    I did verified in object browser, the method "AntiXssEncoder.MarkAsSafe" does not exist over there.

    Also I verified the version of AntiXSSLibrary, it is the latest version I have "4.3.0.0". I did cross verified in nugget gallery the same version is available over there. 

    Please suggest the way to resolve this issue.

    Thank you!!!

    Monday, November 11, 2019 5:54 AM
  • It is showing me error stating that 

    Operator || can not be applied to the operand of type LowerCodeCharts and LowerCodeCharts.

    Monday, November 11, 2019 6:01 AM
  • Hi Durgesh,

    Thanks for your feedback.

    The class you are using is “Microsoft.Security.Application.AntiXssEncoder”, but the class cheong00 says is ” System.Web.Security.AntiXss.AntiXssEncoder”.

    They have the same class name, I have explained the usage of these two classes in the previous reply, you can refer to it.

    And for your last question, use ‘|’ instead of ‘||’.

    Hope this could be helpful.

    Best Regards,

    Timon


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Durgesh More Monday, November 11, 2019 10:08 AM
    Monday, November 11, 2019 7:07 AM
  • Oh, my mistake. It should indeed be "|" instead of "||".

    And yes, for "Microsoft.Security.Application" it should use UnicodeCharacterEncoder.MarkAsSafe() to specify the range that the function do not need to encode.

    Refer to the comment by Levi on behalf of ASP.NET team for why we should use "System.Web.Security.AntiXss" version over "Microsoft.Security.Application".
    • Edited by cheong00Editor Monday, November 11, 2019 8:13 AM
    • Marked as answer by Durgesh More Monday, November 11, 2019 10:07 AM
    • Unmarked as answer by Durgesh More Friday, November 15, 2019 1:56 PM
    • Marked as answer by Durgesh More Friday, November 15, 2019 1:56 PM
    Monday, November 11, 2019 8:07 AM
    Answerer
  • Thank you for your reply. I already made that change and it is working fine now.

    Thank you!!!!!!!!!

    Monday, November 11, 2019 9:49 AM
  • Thank you for your reply. I already made that change and it is working fine now.

    I am using UnicodeCharacterEncoder.MarkAsSafe() to escape greece characters, will check the link you provided.

    Thank you!!!!!!!!!

    Monday, November 11, 2019 9:51 AM
  • Hi,

     Is it possible to escape particular character from encoding.

     I am using Encode.HtmlEncode() method to encode user input.

    It is encoding & which we don't want to encode.

    Please provide any solution if any.

    Thank you!!!

    Friday, November 15, 2019 1:58 PM
  • Hi Durgesh,

    In general, we only solve one problem in one post, you can create a new thread and ask your new question, we will reply you as soon as possible.

    Best Regards,

    Timon


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, November 18, 2019 1:13 AM
  • Hi Timon,

    I have created separate thread for my new query. Can you please try the answer it.

    Please find the below link for the same.

    Link:- https://social.msdn.microsoft.com/Forums/vstudio/en-US/e6202022-9aff-4e30-9816-e3b7f7a5a048/anti-xss-430-encode-valid-characters?forum=csharpgeneral#e6202022-9aff-4e30-9816-e3b7f7a5a048

    Thank you !!

    Monday, November 18, 2019 10:45 AM