Just in Chronicles

Life as a Voyage

Posts Tagged ‘Sanitize.GetSafeHtml()

Removing the “x_” Prefixes Injected by AntiXSS Library, from the “id” and “class” Attributes

leave a comment »

Microsoft Web Protection Library provides strong security protection while building a web site. By using this library, the web site can avoid XSS attacks. One of the benefits using this library is that the web site can sanitise users’ input, that means the HTML input can be filtered by the library.

However, during the sanitisation process, a prefix, "x_", intentionally prepends both "id" and "class" attributes of each HTML element. The reason is that the sanitisation process cannot guarantee which "id" and "class" values are safe or not, so each "id" and "class" attribute have their prefix "x_" as a result. This is, of course, not desirable. So, developers have to get rid of those prefixes from the HTML output.

public static string RemoveSanitisedPrefixes(string html)
	Match match = Regex.Match(html, "(id|class)=\"?(x_).+\"?", RegexOptions.IgnoreCase);
	if (match.Success)
		string key = match.Groups[2].Value;
		html = html.Replace(key, "");
	return html;

Once your HTML contents are sanitised by Microsoft.Security.Application.GetSafeHtml() or Microsoft.Security.Application.GetSafeHtmlFragment(), pass the sanitised HTML value to the method above, and you’ll get the "x_" removed HTML contents.

Written by Justin Yoo

16/04/2012 at 13:25