Microsoft AntiXSS - Is there a need to Decode?

Question

The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided?

For example

Before applying AntiXSS:

lblName.Text = "ABC" + "<script> alert('Inject'); </script";

After applying AntiXSS:

lblName.Text = AntiXSS.HTMLEncode("ABC" + "<script> alert('Inject'); </script");

So, after applying the encoding, the HTML tags show up in my Label control.

Is this the desired outcome?

Answer 1

It depends where your input is coming from, and what you want to do with it. A lot of the time the framework decodes for you before you see things - Request.Form, Request.QueryString etc.

If you're reading an encoded string from somewhere else, for example a database then you may want to decode it, otherwise you'll see double encoding, for example;

I 3> AntiXSS encoded once becomes

I 3> AntiXSS which then becomes after double encoding

I 3> AntiXSS

which can have unintended side effects depending on what consumes the output. The act of decoding until the string no-longer changes is an example of canonicalisation.

Answer 2

Yes, I think this is desired output. This is because the script is not executed. If the script would have been executed, an alert would be shown instead of the script tags. So this is safe code.