microsoft antixss library - documentation & help · microsoft antixss library using antixss as...
TRANSCRIPT
MicrosoftAntiXSSLibrary
WelcometotheMicrosoftAntiXSSLibrary
Cross-sitescripting(XSS)attacksexploitvulnerabilitiesinweb-basedapplicationsthatfailtoproperlyvalidateand/orencodeinputthatisembeddedinresponsedata.Malicioususerscantheninjectclient-sidescriptintoresponsedatacausingtheunsuspectinguser'sbrowsertoexecutethescriptcode.Thescriptcodewillappeartohaveoriginatedfromatrustedsiteandmaybeabletobypassbrowserprotectionmechanismssuchassecurityzones.
Theseattacksareplatform-and-browserindependent,andcanallowmalicioususerstoperformmaliciousactionssuchasgainingunauthorizedaccesstoclientdatalikecookiesorhijackingsessionsentirely.
SeeAlso:
What'sNew/ChangeHistory
UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)
LicenseAgreement
Microsoft.Security.Application
AntiXSSHelpandSource
WebProtectionLibraryHomePage
DiscussionForum
SourceCode
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
What'snewinAntiXSS4.2
MinimumRequirements
Youcannow,onceagain,usetheencoderlibrariesin.NET2.0..NET2.0,3.5and4.0havetheirownlibrariesoptimisedforeachversionoftheframework.
.NET4.0Support
The.NET4.0versionofAntiXSScomeswithaclassthatcanbeusedtosetAntiXSSasthedefaultencoderusedbyMVC,WebPagesandWebFormsapplications.
InvalidUnicodeishandleddifferently.
InvalidUnicodecharactersarenowreplacedwiththeUnicodereplacementcharacter,U+FFFD(�).PreviouslywhenencodingstringsthroughHtmlEncode,HtmlAttributeEncode,XmlEncode,XmlAttributeEncodeorCssEncodeinvalidUnicodecharacterswouldbedetectedandanexceptionthrown.
UrlPathEncodeadded.
TheencodinglibrarynowhasEncoder.UrlPathEncode(String)whichwillencodeastringforuseasthepathpartofaURL.
TheHTMLSanitizerhandlesCSSdifferently.
TheHTMLSanitizernowremovesallCSSfromthe<head>sectionofanHTMLpage.Ifa<style>tagisdiscoveredinthebodyofanHTMLpage,orinaninputfragmentthetagwillberemoved,butthecontentskept,ashappenswithotherinvalidtags.Ifthestyleattributeisdiscoveredonanelementitisremoved.
What'snewinAntiXSS4.0
MinimumRequirements
TheAntiXSSLibrarynowrequires.NETFramework3.5.
ReturnValues
Ifyoupassanullasthevaluetobeencodedtheencoderwillnowreturnnull.ThepreviousbehaviorwastoreturnString.Empty.
MediumTrustSupport
TheHTMLSanitizationmethods,GetSafeHtml()andGetSafeHtmlFragment()havebeenmovedtoaseparateassembly.ThisenablestheAntiXssLibraryassemblytoruninmediumtrustenvironments,acommonuserrequest.IfyouwishtousetheHtmlSanitizationlibraryyoumustnowincludetheHtmlSanitizationLibraryassembly.Thisassemblyrequiresfulltrustandtheabilitytorununsafecode.
Adjustablesafe-listingforHTML/XMLEncoding
ThesafelistforHTMLandXMLencodingisnowadjustable.TheMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts)methodallowstoyouchoosefromtheUnicodeCodeChartswhichlanguagesyourwebapplicationnormallyaccepts.Safe-listingalanguagecodechartleavesthedefinedcharactersintheirnativeformduringencoding,whichincreasesreadabilityintheHTML/XMLdocumentandspeedsupencoding.Certaindangerouscharacterswillalsobeencoded.ThelanguagecodechartsaredefinedintheMicrosoft.Security.Application.LowerCodeCharts,Microsoft.Security.Application.LowerMidCodeCharts,Microsoft.Security.Application.MidCodeCharts,Microsoft.Security.Application.UpperMidCodeChartsandMicrosoft.Security.Application.UpperCodeChartsenumerations.
Itissuggestedyousafelistyouracceptablelanguagesduringyourapplicationinitialization.
InvalidUnicodecharacterdetection
IfanyoftheHTML,XMLorCSSencodingmethodsencountersacharacter
withacharactercodeof0xFFFEor0xFFFF,thecharactersusedtodetectbyteorderatthebeginningoffilesanInvalidUnicodeValueExceptionwillbethrown.
SurrogateCharacterSupportinHTMLandXMLencoding
SupportforsurrogatecharacterpairsforUnicodecharactersoutsidethebasicmultilingualplanehasbeenimproved.Suchcharacterpairsarenowcombinedandencodedastheir&xxxxx;value.Ifahighsurrogatepaircharacterisencounteredwhichisnotfollowedbyalowsurrogatepaircharacter,oralowsurrogatepaircharacterisencounteredwhichisnotprecededbyahighsurrogatepaircharacteranInvalidSurrogatePairExceptionisthrown.
HTML4.01NamedEntitySupport
AnewoverloadoftheHtmlEncodemethod,Encoder.HtmlEncode(String,Boolean)allowsyoutospecifyifthenamedentitiesfromtheHTML4.01specificationshouldbeusedinpreferenceto&#xxxx;encodingwhenanamedentityexists.ForexampleifuseNamedEntitiesissettotruethecopyrightentitywouldbeencodedas©.
HtmlFormUrlEncode
AnewencodingtypesuitableforusinginencodingHtmlPOSTformsubmissionsisnowavailableviaEncoder.HtmlFormUrlEncode.ThisencodesaccordingtotheW3Cspecificationsforapplication/x-www-form-urlencodedMIMEtype.
LDAPEncodingchanges
TheLdapEncodefunctionhasbeendeprecatedinfavoroftwonewfunctions,Encoder.LdapFilterEncode(String)andEncoder.LdapDistinguishedNameEncode(String)
Encoder.LdapFilterEncode(String)encodesinputaccordingtoRFC4515whereunsafevaluesareconvertedto\XXwhereXXistherepresentationoftheunsafecharacter.ForexampleInput OutputParensRUs(forallyourparentheticalneeds)
ParensRUs\28forallyourparentheticalneeds\29
* \2A
C:\MyFile C:\5CMyFileLučić Lu\C4\8Di\C4\87
Encoder.LdapDistinguishedNameEncode(String)encodesinputaccordingtoRFC2253whereunsafecharactersareconvertedto#XXwhereXXistherepresentationoftheunsafecharacterandthecomma,plus,quote,slash,lessthanandgreatthansignsareescapedusingslashnotation(\X).Inadditiontothisaspaceoroctothorpe(#)atthebeginningoftheinputstringis\escapedasisaspaceattheendofastring.Input Output,+\"\<> \,\+\"\\\<\>Hello \HelloHello Hello\#Hello \#HelloLučić Lu#C4#8Di#C4#87
Encoder.LdapDistinguishedNameEncode(String,Boolean,Boolean)isalsoprovidedsoyoumayturnofftheinitialorfinalcharacterescapingrules,forexampleifyouareconcatenatingtheescapeddistinguishednamefragmentintothemidstofacompletedistinguishedname.InadditiontotheRFCmandatedescapingthesafelistexcludesthecharacterslistedathttp://projects.webappsec.org/LDAP-Injection.
MarkOutput
TheabilitytomarkoutputusinganHtmlEncodeoverloadandquerystringparameterhasbeenremoved.
SeeAlso:
UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
HowdoIuseAntiXSS?
Inthistutorial,I'llshowyouhowtheMicrosoftAnti-CrossSiteScriptingLibrarycanbeusedtoprotectusersfromCross-SiteScripting(XSS)attacks.I'llalsoshowyouaneasymethodforassessingusecasescenariosforpotentialXSSvectorsusingnothingmorethanasimpletable.
NoteCross-sitescripting(XSS)attacksexploitvulnerabilitiesinWeb-basedapplicationsthatfailtoproperlyvalidateand/orencodeinputthatisembeddedinresponsedata.Malicioususerscantheninjectclient-sidescriptintoresponsedatacausingtheunsuspectinguser'sbrowsertoexecutethescriptcode.Thescriptcodewillappeartohaveoriginatedfromatrustedsiteandmaybeabletobypassbrowserprotectionmechanismssuchassecurityzones.InadditioncertainserversidequeriessuchasLDAPlook-upscanbeinjectedinmuchthesamewayasSQLqueriescanbeinjected,changingtheresultofthequery.
Theseattacksareplatformandbrowserindependent,andcanallowmalicioususerstoperformundesiredactionssuchasgainingunauthorizedaccesstoclientdatalikecookiesorhijackingsessionsentirely.
IfyouwantmoreinformationonXSSattacks,includinginstructionsonhowtotestforit,somegoodreferencesare
HowTo:PreventCross-SiteScriptinginASP.NET
Cross-sitescripting(wikipedia)
Cross-siteScripting(XSS)(OWASP)
Protectinganapplication.
ToprotectanapplicationfromXSSattackswefirstneedtounderstandthevectorsthatmalicioususerscanusetoconductsuchattacks.Ideally,weshouldhavedonethisatdesigntimeusingthreatmodelling;however,wecanstilldothisonapplicationsthathavealreadybeenimplementedusingthefollowingsteps:
1. Reviewcodewhichproducesoutput.
2. Determinewhetheroutputincludesuntrustedinputparameters.
3. Determinethecontextinwhichuntrustedinputisusedasoutput.
4. Encodetheoutputappropriately.
Ifyouaren'tsureifinputistrustedornotalwayserronthesideofcautionandassumeitisnot.Examplesofcommonuntrustedinputinclude
Formfields
Querystrings
Cookiecontents
HTTPHeaders
WhichencodershouldIuse?
Onceyouhavefoundcodewhichoutputstotheuseryouneedtodetermineiftheinputistrustedoruntrusted.Onceyouhavedecidedtheinputisuntrustedyoudeterminewhichencodingmethodneedstobeusedtomaketheinputsafe.Thefollowingtablewillbehelpfulindeterminingwhichencodingmethodyoumustuse.EncodingMethod Should
beusedwhen...
Example
HtmlEncode UntrustedinputisusedinHTMLoutputexceptwhenassigningtoanHTMLattribute.
<p>Hello[UntrustedInput]</p>
HtmlAttributeEncode UntrustedinputisusedinHTMLattributes.
<p>id="[UntrustedInput]"</p>
XmlEncode UntrustedinputisusedinXMLoutputexceptwhenassigningtoanXML
<name>[UntrustedInput]</name>
attribute.
XmlAttributeEncode UntrustedinputisusedinXMLattributes.
<name>firstName="[UntrustedInput]"</name>
UrlEncode UntrustedinputisusedasaquerystringvalueinaURL.
<ahref="http://search.bing.com/search?q=[Untrusted-input]">ClickHere!</a>
UrlPathEncode UntrustedinputisusedaspartofapathaURL.
<ahref="http://msdn.microsoft.com/[Untrusted-input]/">ClickHere!</a>
JavaScriptEncode UntrustedinputisusedwithinaJavaScriptcontext.
<script>varsomething="[UntrustedInput]";<script>
OtherencodermethodsincludHtmlFormUrlEncodewhichisusedwhen,incode,youarebuildinganHTTPPOSTrequesttosubmittoawebsiteandLdapDistinguishedNameEncodeandLdapFilterEncodewhichencodeuntrustedinputforsafeusewhenbuildingfiltersorqueriesagainstanLDAPdatabase.
UsingAntiXSS
Nowthatyou'vedeterminedwhichscenariosrequireencoding,allthatislefttodoisaddtheMicrosoftAnti-CrossSiteScriptingLibrarytoyourprojectandencodetheuntrustedinputasitisembeddedinresponsedata.Afteryou'veinstalledthelibraryyouneedtoaddareferenceintoyourproject.Todothisusethefollowingsteps:
1. RightclicktheprojectintheSolutionExplorerWindowinVisualStudio.
2. SelecttheAddReference...optionfromthecontextmenu.
3. Selectthebrowsetabandselecttheinstallationdirectory,thenaddtheAntiXSSLibrary.dllappropriateforthe.NETframeworkversionyouareusing.
IfyouhavenotchangedtheinstalldirectorythelibrarywillbeinC:\ProgramFiles\MicrosoftInformationSecurity\AntiXSSLibraryv4.2(32bitOSes)orC:\ProgramFiles(x86)\MicrosoftInformationSecurity\AntiXSSLibraryv4.2(64bitOSes).Thisfolderwillcontain3directories,oneforeachversionofthe.NETframeworkAntiXSSsupports.
Onceyou'veaddedthereferencetothelibraryyouwillneedtoadjustyourcodetousetheappropriateencoder.Todothisopenthefileswhichcontaincodethatwritesoutputthen
1. Addausingdirective;usingMicrosoft.Security.Application;
2. Changethecodewhichassignsoutput,forexamplestringName=Request.QueryString["Name"];
wouldbecomestringName=
Encoder.HtmlEncode(Request.QueryString["Name"]);
NowrebuildyourwebapplicationandforXSS.
SeeAlso:
UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UsingAntiXSSasthedefaultASP.NETencoder
.NET4.0introducedtheabilitytoswapthedefaultencodinglibrariesfromthecore.NETframeworklibrariestoanyexternallibrarywhichimplementsSystem.Web.Util.HttpEncoder.AntiXSS4.1nowprovidesanimplementationofthisclasswhichwillallowyoutouseAntiXSSasthedefaultencoderinbothMVCandWebForms.
ToconfigureAntiXSSasthedefaultencoderyouwillneedtoensureyouhaveaddedthe.NET4.0versionofthelibrarytoyourapplication.YoumustalsoaddanencoderTypeattributetothehttpRuntimesectioninyourweb.config;<httpRuntime
encoderType="Microsoft.Security.Application.AntiXssEncoder,
AntiXssLibrary"/>
SeeAlso:
What'sNewinAntiXSS
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
LicenseAgreement
MicrosoftPublicLicense(Ms-PL)
MicrosoftWebProtectionLibrary(http://wpl.codeplex.com)ThisworkislicensedundertheMicrosoftPublicLicense(Ms-PL)Copyright(c)2010MicrosoftCorporation
Thislicensegovernsuseoftheaccompanyingsoftware.Ifyouusethesoftware,youacceptthislicense.Ifyoudonotacceptthelicense,donotusethesoftware.
1. Definitions-Theterms"reproduce,""reproduction,""derivativeworks,"and"distribution"havethesamemeaninghereasunderU.S.copyrightlaw.A"contribution"istheoriginalsoftware,oranyadditionsorchangestothesoftware.A"contributor"isanypersonthatdistributesitscontributionunderthislicense."Licensedpatents"areacontributor'spatentclaimsthatreaddirectlyonitscontribution.
2. GrantofRights
1. CopyrightGrantSubjecttothetermsofthislicense,includingthelicenseconditionsandlimitationsinsection3,eachcontributorgrantsyouanon-exclusive,worldwide,royalty-freecopyrightlicensetoreproduceitscontribution,preparederivativeworksofitscontribution,anddistributeitscontributionoranyderivativeworksthatyoucreate.
2. PatentGrantSubjecttothetermsofthislicense,includingthelicenseconditionsandlimitationsinsection3,eachcontributorgrantsyouanon-exclusive,worldwide,royalty-freelicenseunderitslicensedpatentstomake,havemade,use,sell,offerforsale,import,and/orotherwisedisposeofitscontributioninthesoftwareorderivativeworksofthecontributioninthesoftware.
3. ConditionsandLimitations
1. NoTrademarkLicenseThislicensedoesnotgrantyourightstouse
anycontributors'name,logo,ortrademarks.
2. Ifyoubringapatentclaimagainstanycontributoroverpatentsthatyouclaimareinfringedbythesoftware,yourpatentlicensefromsuchcontributortothesoftwareendsautomatically.
3. Ifyoudistributeanyportionofthesoftware,youmustretainallcopyright,patent,trademark,andattributionnoticesthatarepresentinthesoftware.
4. Ifyoudistributeanyportionofthesoftwareinsourcecodeform,youmaydosoonlyunderthislicensebyincludingacompletecopyofthislicensewithyourdistribution.Ifyoudistributeanyportionofthesoftwareincompiledorobjectcodeform,youmayonlydosounderalicensethatcomplieswiththislicense.
5. Thesoftwareislicensed"as-is."Youbeartheriskofusingit.Thecontributorsgivenoexpresswarranties,guarantees,orconditions.Youmayhaveadditionalconsumerrightsunderyourlocallawswhichthislicensecannotchange.Totheextentpermittedunderyourlocallaws,thecontributorsexcludetheimpliedwarrantiesofmerchantability,fitnessforaparticularpurposeandnon-infringement.
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Microsoft.Security.ApplicationNamespace
TheMicrosoftAnti-CrossSiteScriptingLibraryisanencodinglibrarydesignedtohelpdevelopersprotecttheirASP.NETweb-basedapplicationsfromXSSattacks.Itdiffersfrommostencodinglibrariesinthatitusesthewhite-listingtechnique--sometimesreferredtoastheprincipleofinclusions--toprovideprotectionagainstXSSattacks.Thisapproachworksbyfirstdefiningavalidorallowablesetofcharacters,andencodesanythingoutsidethisset(invalidcharactersorpotentialattacks).Thewhite-listingapproachprovidesseveraladvantagesoverotherencodingschemes.
Classes
Class DescriptionEncoder Performsencodingofinputstringsto
provideprotectionagainstCross-SiteScripting(XSS)attacksandLDAPinjectionattacksinvariouscontexts.
Sanitizer SanitizesinputHTMLtomakeitsafetobedisplayedonabrowserbyremovingpotentiallydangeroustags.
UnicodeCharacterEncoder ProvidesHTMLencodingmethods.
Enumerations
Enumeration DescriptionLowerCodeCharts ValuesforthelowestsectionoftheUTF8
Unicodecodetables,fromU0000toU0FFF.
LowerMidCodeCharts Valuesforthelower-midsectionoftheUTF8Unicodecodetables,fromU1000toU1EFF.
MidCodeCharts ValuesforthemiddlesectionoftheUTF8Unicodecodetables,fromU1F00toU2DDF
UpperCodeCharts ValuesfortheuppersectionoftheUTF8Unicodecodetables,fromUA8E0toUFFFD
UpperMidCodeCharts ValuesfortheuppermiddlesectionoftheUTF8Unicodecodetables,fromU2DE0toUA8DF
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
EncoderClassMembersSeeAlso
PerformsencodingofinputstringstoprovideprotectionagainstCross-SiteScripting(XSS)attacksandLDAPinjectionattacksinvariouscontexts.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticclassEncoder
VisualBasic
PublicNotInheritableClassEncoder
VisualC++
publicrefclassEncoderabstractsealed
RemarksThisencodinglibraryusesthePrincipleofInclusions,sometimesreferredtoas"safe-listing"toprovideprotectionagainstinjectionattacks.Withsafe-listingprotection,algorithmslookforvalidinputsandautomaticallytreateverythingoutsidethatsetasapotentialattack.Thislibrarycanbeusedasadefenseindepthapproachwithothermitigationtechniques.Itissuitableforapplicationswithhighsecurityrequirements.
InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.Encoder
SeeAlso
EncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
EncoderMembersEncoderClassMethodsSeeAlso
TheEncodertypeexposesthefollowingmembers.
Methods
Name DescriptionCssEncode Encodesthespecified
stringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.
HtmlAttributeEncode EncodesaninputstringforuseinanHTMLattribute.
HtmlEncode(String) EncodesinputstringsforuseinHTML.
HtmlEncode(String,Boolean) EncodesinputstringsforuseinHTML.
HtmlFormUrlEncode(String) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Int32) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Encoding) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
JavaScriptEncode(String) EncodesinputstringsforuseinJavaScript.
JavaScriptEncode(String,Boolean) EncodesinputstringsforuseinJavaScript.
LdapDistinguishedNameEncode(String) EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
LdapDistinguishedNameEncode(String,Boolean,Boolean)
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
LdapEncode Obsolete.EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.
LdapFilterEncode EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.
UrlEncode(String) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlEncode(String,Int32) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlEncode(String,Encoding) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlPathEncode URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.
VisualBasicScriptEncode EncodesinputstringsforuseinVisualBasicScript.
XmlAttributeEncode Encodesinputstringsfor
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
Methods
Name DescriptionCssEncode Encodesthespecified
stringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.
HtmlAttributeEncode EncodesaninputstringforuseinanHTMLattribute.
HtmlEncode(String) EncodesinputstringsforuseinHTML.
HtmlEncode(String,Boolean) EncodesinputstringsforuseinHTML.
HtmlFormUrlEncode(String) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Int32) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Encoding) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
JavaScriptEncode(String) EncodesinputstringsforuseinJavaScript.
JavaScriptEncode(String,Boolean) EncodesinputstringsforuseinJavaScript.
LdapDistinguishedNameEncode(String) EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
LdapDistinguishedNameEncode(String,Boolean,Boolean)
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
LdapEncode Obsolete.EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.
LdapFilterEncode EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.
UrlEncode(String) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlEncode(String,Int32) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlEncode(String,Encoding) Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlPathEncode URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.
VisualBasicScriptEncode EncodesinputstringsforuseinVisualBasicScript.
XmlAttributeEncode Encodesinputstringsfor
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.CssEncodeMethodEncoderClassSeeAlso
EncodesthespecifiedstringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringCssEncode(
stringinput
)
VisualBasic
PublicSharedFunctionCssEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^CssEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinCSSelementvalues.
RemarksThismethodencodesallcharactersexceptthosethatareinthesafelist.Thefollowingtableliststhedefaultsafecharacters.UnicodeCodeChart Characters(s) DescriptionC0ControlsandBasicLatin A-Z UppercasealphabeticlettersC0ControlsandBasicLatin a-z LowercasealphabeticlettersC0ControlsandBasicLatin 0-9 Numbers
TheCSScharacterescapesequenceconsistsofabackslashcharacter(\)followedbyuptosixhexadecimaldigitsthatrepresentacharactercodefromtheISO10646standard.(TheISO10646standardiseffectivelyequivalenttoUnicode.)Anycharacterotherthanahexadecimaldigitterminatestheescapesequence.Ifacharacterthatfollowstheescapesequenceisalsoavalidhexadecimaldigit,itmusteitherincludesixdigitsintheescapesequenceoruseawhitespacecharactertoterminatetheescapesequence.Forexample,\000020denotesaspace.
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlAttributeEncodeMethodEncoderClassSeeAlso
EncodesaninputstringforuseinanHTMLattribute.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlAttributeEncode(
stringinput
)
VisualBasic
PublicSharedFunctionHtmlAttributeEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^HtmlAttributeEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueTheinputstringencodedforuseinanHTMLattribute.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert('XSS Attack!');[email protected] [email protected]
Anti-Cross Site Scripting Library
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionHtmlEncode(String) EncodesinputstringsforuseinHTML.HtmlEncode(String,Boolean)
EncodesinputstringsforuseinHTML.
SeeAlso
EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlEncodeMethod(String)EncoderClassSeeAlso
EncodesinputstringsforuseinHTML.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlEncode(
stringinput
)
VisualBasic
PublicSharedFunctionHtmlEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^HtmlEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinHTML.
RemarksAllcharactersnotsafelistedareencodedtotheirUnicodedecimalvalue,using&#DECIMAL;notation.Thedefaultsafecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore' Apostrophe
Space
ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandtheirrelatedencodedoutputs:<script>alert('XSSAttack!');</script>
<script>alert('XSSAttack!');</script>
[email protected] [email protected]
Anti-CrossSiteScriptingLibrary
"Anti-CrossSiteScriptingLibrary"
"e;Anti-CrossSiteScriptingLibrary"e;
SeeAlso
EncoderClassHtmlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlEncodeMethod(String,Boolean)EncoderClassSeeAlso
EncodesinputstringsforuseinHTML.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlEncode(
stringinput,
booluseNamedEntities
)
VisualBasic
PublicSharedFunctionHtmlEncode(_
inputAsString,_
useNamedEntitiesAsBoolean_
)AsString
VisualC++
public:
staticString^HtmlEncode(
String^input,
booluseNamedEntities
)
ParametersinputType:System.StringStringtobeencoded.useNamedEntitiesType:System.BooleanValueindicatingiftheHTML4.0namedentitiesshouldbeused.
ReturnValue
RemarksAllcharactersnotsafelistedareencodedtotheirUnicodedecimalvalue,using&#DECIMAL;notation.IfyouchoosetousenamedentitiesthenifacharacterisanHTML4.0namedentitythenamedentitywillbeused.Thedefaultsafecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore' Apostrophe
Space
ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandtheirrelatedencodedoutputs:<script>alert('XSSAttack!');</script>
<script>alert('XSSAttack!');</script>
[email protected] [email protected]
Anti-CrossSiteScriptingLibrary
"Anti-CrossSiteScriptingLibrary"
"e;Anti-CrossSiteScriptingLibrary"e;
SeeAlso
EncoderClassHtmlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionHtmlFormUrlEncode(String) Encodesinputstringsforusein
application/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Int32)
Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
HtmlFormUrlEncode(String,Encoding)
Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
SeeAlso
EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlFormUrlEncodeMethod(String)EncoderClassSeeAlso
Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlFormUrlEncode(
stringinput
)
VisualBasic
PublicSharedFunctionHtmlFormUrlEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^HtmlFormUrlEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinURLs.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS+Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross+Site+Scripting+Library
SeeAlso
EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlFormUrlEncodeMethod(String,Int32)EncoderClassSeeAlso
Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlFormUrlEncode(
stringinput,
intcodePage
)
VisualBasic
PublicSharedFunctionHtmlFormUrlEncode(_
inputAsString,_
codePageAsInteger_
)AsString
VisualC++
public:
staticString^HtmlFormUrlEncode(
String^input,
intcodePage
)
ParametersinputType:System.StringStringtobeencoded.codePageType:System.Int32Codepagenumberoftheinput.
ReturnValue
RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross+Site+Scripting+Library
SeeAlso
EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.HtmlFormUrlEncodeMethod(String,Encoding)EncoderClassSeeAlso
Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringHtmlFormUrlEncode(
stringinput,
EncodinginputEncoding
)
VisualBasic
PublicSharedFunctionHtmlFormUrlEncode(_
inputAsString,_
inputEncodingAsEncoding_
)AsString
VisualC++
public:
staticString^HtmlFormUrlEncode(
String^input,
Encoding^inputEncoding
)
ParametersinputType:System.StringStringtobeencoded.inputEncodingType:System.Text.EncodingInputencodingtype.
ReturnValue
RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.IftheinputEncodingisnullthenUTF-8isassumedbydefault.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross+Site+Scripting+Library
SeeAlso
EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionJavaScriptEncode(String) Encodesinputstringsforusein
JavaScript.JavaScriptEncode(String,Boolean)
EncodesinputstringsforuseinJavaScript.
SeeAlso
EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.JavaScriptEncodeMethod(String)EncoderClassSeeAlso
EncodesinputstringsforuseinJavaScript.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringJavaScriptEncode(
stringinput
)
VisualBasic
PublicSharedFunctionJavaScriptEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^JavaScriptEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinJavaScript.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing\xSINGLE_BYTE_HEXand\uDOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
SpaceOtherInternationalcharacterranges
Exampleinputsandencodedoutputs:alert('XSSAttack!'); 'alert\x28\x27XSS
Attack\x21\x27\x29\x3b'[email protected] 'user\x40contoso.com'Anti-CrossSiteScriptingLibrary
'Anti-CrossSiteScriptingLibrary'
SeeAlso
EncoderClassJavaScriptEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.JavaScriptEncodeMethod(String,Boolean)EncoderClassSeeAlso
EncodesinputstringsforuseinJavaScript.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringJavaScriptEncode(
stringinput,
boolemitQuotes
)
VisualBasic
PublicSharedFunctionJavaScriptEncode(_
inputAsString,_
emitQuotesAsBoolean_
)AsString
VisualC++
public:
staticString^JavaScriptEncode(
String^input,
boolemitQuotes
)
ParametersinputType:System.StringStringtobeencoded.emitQuotesType:System.Booleanvalueindicatingwhetherornottoemitquotes.true=emitquote.false=noquote.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing\xSINGLE_BYTE_HEXand\uDOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
SpaceOtherInternationalcharacterranges
Exampleinputsandencodedoutputs:alert('XSSAttack!'); 'alert\x28\x27XSS
Attack\x21\x27\x29\x3b'[email protected] 'user\x40contoso.com'Anti-CrossSiteScriptingLibrary
'Anti-CrossSiteScriptingLibrary'
SeeAlso
EncoderClassJavaScriptEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionLdapDistinguishedNameEncode(String) Encodesinputstringsfor
useasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
LdapDistinguishedNameEncode(String,Boolean,Boolean)
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
SeeAlso
EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.LdapDistinguishedNameEncodeMethod(String)EncoderClassSeeAlso
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringLdapDistinguishedNameEncode(
stringinput
)
VisualBasic
PublicSharedFunctionLdapDistinguishedNameEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^LdapDistinguishedNameEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseasavalueinLDAPDNs.
RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC2253definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin#XXformatwhereXXisthehexrepresentationofthecharacteroraspecific\escapeformat.Thefollowingexamplesillustratetheuseoftheescapingmechanism.,+\"\<> \,\+\"\\\<\>hello \hellohello hello\#hello \#helloLučić Lu#C4#8Di#C4#87
SeeAlso
EncoderClassLdapDistinguishedNameEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.LdapDistinguishedNameEncodeMethod(String,Boolean,Boolean)EncoderClassSeeAlso
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringLdapDistinguishedNameEncode(
stringinput,
booluseInitialCharacterRules,
booluseFinalCharacterRule
)
VisualBasic
PublicSharedFunctionLdapDistinguishedNameEncode(_
inputAsString,_
useInitialCharacterRulesAsBoolean,_
useFinalCharacterRuleAsBoolean_
)AsString
VisualC++
public:
staticString^LdapDistinguishedNameEncode(
String^input,
booluseInitialCharacterRules,
booluseFinalCharacterRule
)
ParametersinputType:System.StringStringtobeencoded.useInitialCharacterRulesType:System.BooleanValueindicatingwhetherthespecialcaserulesforencodingofspacesand
octothorpesatthestartofastringareused.useFinalCharacterRuleType:System.BooleanValueindicatingwhetherthespecialcaseforencodingoffinalcharacterspacesisused.
ReturnValueEncodedstringforuseasavalueinLDAPDNs.
RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC2253definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin#XXformatwhereXXisthehexrepresentationofthecharacteroraspecific\escapeformat.Thefollowingexamplesillustratetheuseoftheescapingmechanism.,+\"\<> \,\+\"\\\<\>hello \hellohello hello\#hello \#helloLučić Lu#C4#8Di#C4#87
IfuseInitialCharacterRulesissettofalsethenescapingoftheinitialspaceoroctothorpecharactersisnotperformed;,+\"\<> \,\+\"\\\<\>hello hellohello hello\#hello #helloLučić Lu#C4#8Di#C4#87
IfuseFinalCharacterRuleissettofalsethenescapingofaspaceattheendofastringisnotperformed;,+\"\<> \,\+\"\\\<\>hello hellohello hello#hello #helloLučić Lu#C4#8Di#C4#87
SeeAlso
EncoderClassLdapDistinguishedNameEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.LdapEncodeMethodEncoderClassSeeAlso
EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[ObsoleteAttribute("Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")]
publicstaticstringLdapEncode(
stringinput
)
VisualBasic
<ObsoleteAttribute("Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")>_
PublicSharedFunctionLdapEncode(_
inputAsString_
)AsString
VisualC++
[ObsoleteAttribute(L"Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")]
public:
staticString^LdapEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinLDAPsearchqueries.
RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC4515definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin\XXformatwhereXXisthehexrepresentationofthecharacter.Thefollowingexamplesillustratetheuseoftheescapingmechanism.ParensRUs(forallyourparentheticalneeds)
ParensRUs\28forallyourparentheticalneeds\29
* \2AC:\MyFile C:\5CMyFileNULLNULLNULLEOT(binary) \00\00\00\04Lučić Lu\C4\8Di\C4\87
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.LdapFilterEncodeMethodEncoderClassSeeAlso
EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringLdapFilterEncode(
stringinput
)
VisualBasic
PublicSharedFunctionLdapFilterEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^LdapFilterEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseasavalueinLDAPfilterqueries.
RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC4515definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin\XXformatwhereXXisthehexrepresentationofthecharacter.Thefollowingexamplesillustratetheuseoftheescapingmechanism.ParensRUs(forallyourparentheticalneeds)
ParensRUs\28forallyourparentheticalneeds\29
* \2AC:\MyFile C:\5CMyFileNULLNULLNULLEOT(binary) \00\00\00\04Lučić Lu\C4\8Di\C4\87
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionUrlEncode(String) Encodesinputstringsforuseinuniversal
resourcelocators(URLs).UrlEncode(String,Int32)
Encodesinputstringsforuseinuniversalresourcelocators(URLs).
UrlEncode(String,Encoding)
Encodesinputstringsforuseinuniversalresourcelocators(URLs).
SeeAlso
EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.UrlEncodeMethod(String)EncoderClassSeeAlso
Encodesinputstringsforuseinuniversalresourcelocators(URLs).
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringUrlEncode(
stringinput
)
VisualBasic
PublicSharedFunctionUrlEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^UrlEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinURLs.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%20Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross%20Site%20Scripting%20Library
SeeAlso
EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.UrlEncodeMethod(String,Int32)EncoderClassSeeAlso
Encodesinputstringsforuseinuniversalresourcelocators(URLs).
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringUrlEncode(
stringinput,
intcodePage
)
VisualBasic
PublicSharedFunctionUrlEncode(_
inputAsString,_
codePageAsInteger_
)AsString
VisualC++
public:
staticString^UrlEncode(
String^input,
intcodePage
)
ParametersinputType:System.StringStringtobeencoded.codePageType:System.Int32Codepagenumberoftheinput.
ReturnValue
RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross%20Site%20Scripting%20Library
SeeAlso
EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.UrlEncodeMethod(String,Encoding)EncoderClassSeeAlso
Encodesinputstringsforuseinuniversalresourcelocators(URLs).
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringUrlEncode(
stringinput,
EncodinginputEncoding
)
VisualBasic
PublicSharedFunctionUrlEncode(_
inputAsString,_
inputEncodingAsEncoding_
)AsString
VisualC++
public:
staticString^UrlEncode(
String^input,
Encoding^inputEncoding
)
ParametersinputType:System.StringStringtobeencoded.inputEncodingType:System.Text.EncodingInputencodingtype.
ReturnValue
RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.IftheinputEncodingisnullthenUTF-8isassumedbydefault.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde
Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%[email protected] user%40contoso.comAnti-CrossSiteScriptingLibrary
Anti-Cross%20Site%20Scripting%20Library
SeeAlso
EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.UrlPathEncodeMethodEncoderClassSeeAlso
URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringUrlPathEncode(
stringinput
)
VisualBasic
PublicSharedFunctionUrlPathEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^UrlPathEncode(
String^input
)
ParametersinputType:System.StringThetexttoURLpathencode
ReturnValueTheURLpathencodedtext.
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.VisualBasicScriptEncodeMethodEncoderClassSeeAlso
EncodesinputstringsforuseinVisualBasicScript.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringVisualBasicScriptEncode(
stringinput
)
VisualBasic
PublicSharedFunctionVisualBasicScriptEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^VisualBasicScriptEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinVisualBasicScript.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&chrw(DECIMAL)notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
Space
Exampleinputsandencodedoutputs:alert('XSSAttack!');
"alert"&chrw(40)&chrw(39)&"XSSAttack"&chrw(33)&chrw(39)&chrw(41)&chrw(59)
[email protected] "user"&chrw(64)&"contoso.com"Anti-CrossSiteScriptingLibrary
"Anti-CrossSiteScriptingLibrary"
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.XmlAttributeEncodeMethodEncoderClassSeeAlso
EncodesinputstringsforuseinXMLattributes.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringXmlAttributeEncode(
stringinput
)
VisualBasic
PublicSharedFunctionXmlAttributeEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^XmlAttributeEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinXMLattributes.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert('XSSAttack!&apos);[email protected] [email protected]
Anti-Cross Site Scripting Library
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Encoder.XmlEncodeMethodEncoderClassSeeAlso
EncodesinputstringsforuseinXML.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringXmlEncode(
stringinput
)
VisualBasic
PublicSharedFunctionXmlEncode(_
inputAsString_
)AsString
VisualC++
public:
staticString^XmlEncode(
String^input
)
ParametersinputType:System.StringStringtobeencoded.
ReturnValueEncodedstringforuseinXML.
RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore
Space
ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert('XSSAttack!');[email protected] [email protected] Anti-CrossSiteScriptingLibrary
SeeAlso
EncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
LowerCodeChartsEnumerationSeeAlso
ValuesforthelowestsectionoftheUTF8Unicodecodetables,fromU0000toU0FFF.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[FlagsAttribute]
publicenumLowerCodeCharts
VisualBasic
<FlagsAttribute>_
PublicEnumerationLowerCodeCharts
VisualC++
[FlagsAttribute]
publicenumclassLowerCodeCharts
Members
Membername Value DescriptionNone 0 Nocodecharts
fromthelowerregionoftheUnicodetablesaresafe-listed.
BasicLatin 1 TheBasicLatincodetable.
C1ControlsAndLatin1Supplement 2 TheC1ControlsandLatin-1Supplementcodetable.
LatinExtendedA 4 TheLatinExtended-Acodetable.
LatinExtendedB 8 TheLatinExtended-Bcodetable.
IpaExtensions 16 TheIPAExtensionscodetable.
SpacingModifierLetters 32 TheSpacingModifierLetterscodetable.
CombiningDiacriticalMarks 64 TheCombiningDiacriticalMarkscodetable.
GreekAndCoptic 128 TheGreekandCopticcodetable.
Cyrillic 256 TheCyrillic
codetable.CyrillicSupplement 512 TheCyrillic
Supplementcodetable.
Armenian 1024 TheArmeniancodetable.
Hebrew 2048 TheHebrewcodetable.
Arabic 4096 TheArabiccodetable.
Syriac 8192 TheSyriaccodetable.
ArabicSupplement 16384 TheArabicSupplementcodetable.
Thaana 32768 TheThaanacodetable.
Nko 65536 TheNkocodetable.
Samaritan 131072 TheSamaritancodetable.
Devanagari 262144 TheDevanagaricodetable.
Bengali 524288 TheBengalicodetable.
Gurmukhi 1048576 TheGurmukhicodetable.
Gujarati 2097152 TheGujaraticodetable.
Oriya 4194304 TheOriyacodetable.
Tamil 8388608 TheTamilcodetable.
Telugu 16777216 TheTelugu
codetable.Kannada 33554432 TheKannada
codetable.Malayalam 67108864 TheMalayalam
codetable.Sinhala 134217728 TheSinhala
codetable.Thai 268435456 TheThaicode
table.Lao 536870912 TheLaocode
table.Tibetan 1073741824 TheTibetan
codetable.Default 127 Thedefault
codetablesmarkedassafeoninitialisation.
SeeAlso
Microsoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
LowerMidCodeChartsEnumerationSeeAlso
Valuesforthelower-midsectionoftheUTF8Unicodecodetables,fromU1000toU1EFF.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[FlagsAttribute]
publicenumLowerMidCodeCharts
VisualBasic
<FlagsAttribute>_
PublicEnumerationLowerMidCodeCharts
VisualC++
[FlagsAttribute]
publicenumclassLowerMidCodeCharts
Members
Membername Value DescriptionNone 0 Nocode
chartsfromthelower-midregionoftheUnicodetablesaresafe-listed.
Myanmar 1 TheMyanmarcodetable.
Georgian 2 TheGeorgiancodetable.
HangulJamo 4 TheHangulJamocodetable.
Ethiopic 8 TheEthiopiccodetable.
EthiopicSupplement 16 TheEthiopicsupplementcodetable.
Cherokee 32 TheCherokeecodetable.
UnifiedCanadianAboriginalSyllabics 64 TheUnifiedCanadianAboriginalSyllabicscodetable.
Ogham 128 TheOgham
codetable.Runic 256 TheRunic
codetable.Tagalog 512 The
Tagalogcodetable.
Hanunoo 1024 TheHanunoocodetable.
Buhid 2048 TheBuhidcodetable.
Tagbanwa 4096 TheTagbanwacodetable.
Khmer 8192 TheKhmercodetable.
Mongolian 16384 TheMongoliancodetable.
UnifiedCanadianAboriginalSyllabicsExtended 32768 TheUnifiedCanadianAboriginalSyllabicsExtendedcodetable.
Limbu 65536 TheLimbucodetable.
TaiLe 131072 TheTaiLecodetable.
NewTaiLue 262144 TheNewTaiLuecodetable.
KhmerSymbols 524288 TheKhmerSymbolscodetable
Buginese 1048576 The
Buginesecodetable.
TaiTham 2097152 TheTaiThamcodetable.
Balinese 4194304 TheBalinesecodetable.
Sudanese 8388608 TheSudanesecodetable.
Lepcha 16777216 TheLepchacodetable.
OlChiki 33554432 TheOlChikicodetable.
VedicExtensions 67108864 TheVedicExtensionscodetable.
PhoneticExtensions 134217728 ThePhoneticExtensionscodetable.
PhoneticExtensionsSupplement 268435456 ThePhoneticExtensionsSupplementcodetable.
CombiningDiacriticalMarksSupplement 536870912 TheCombiningDiacriticalMarksSupplementcodetable.
LatinExtendedAdditional 1073741824 TheLatinExtended
SeeAlso
Microsoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
MidCodeChartsEnumerationSeeAlso
ValuesforthemiddlesectionoftheUTF8Unicodecodetables,fromU1F00toU2DDF
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[FlagsAttribute]
publicenumMidCodeCharts
VisualBasic
<FlagsAttribute>_
PublicEnumerationMidCodeCharts
VisualC++
[FlagsAttribute]
publicenumclassMidCodeCharts
Members
Membername Value DescriptionNone 0 Nocode
chartsfromthelowerregionoftheUnicodetablesaresafe-listed.
GreekExtended 1 TheGreekExtendedcodetable.
GeneralPunctuation 2 TheGeneralPunctuationcodetable.
SuperscriptsAndSubscripts 4 TheSuperscriptsandSubscriptscodetable.
CurrencySymbols 8 TheCurrencySymbolscodetable.
CombiningDiacriticalMarksForSymbols 16 TheCombiningDiacriticalMarksforSymbolscodetable.
LetterlikeSymbols 32 TheLetterlikeSymbolscodetable.
NumberForms 64 TheNumberFormscodetable.
Arrows 128 TheArrowscodetable.
MathematicalOperators 256 TheMathematicalOperatorscodetable.
MiscellaneousTechnical 512 TheMiscellaneousTechnicalcodetable.
ControlPictures 1024 TheControlPicturescodetable.
OpticalCharacterRecognition 2048 TheOpticalCharacterRecognitiontable.
EnclosedAlphanumerics 4096 TheEnclosedAlphanumericcodetable.
BoxDrawing 8192 TheBoxDrawingcodetable.
BlockElements 16384 TheBlockElementscodetable.
GeometricShapes 32768 TheGeometricShapescodetable.
MiscellaneousSymbols 65536 TheMiscellaneousSymbolscodetable.
Dingbats 131072 TheDingbatscodetable.
MiscellaneousMathematicalSymbolsA 262144 TheMiscellaneousMathematicalSymbols-Acodetable.
SupplementalArrowsA 524288 TheSupplementalArrows-Acodetable.
BraillePatterns 1048576 TheBraillePatternscodetable.
SupplementalArrowsB 2097152 TheSupplementalArrows-Bcodetable.
MiscellaneousMathematicalSymbolsB 4194304 TheMiscellaneousMathematicalSymbols-Bcodetable.
SupplementalMathematicalOperators 8388608 TheSupplementalMathematicalOperatorscodetable.
MiscellaneousSymbolsAndArrows 16777216 TheMiscellaneousSymbolsandArrowscodetable.
Glagolitic 33554432 TheGlagoliticcodetable.
LatinExtendedC 67108864 TheLatinExtended-Ccodetable.
Coptic 134217728 TheCoptic
codetable.GeorgianSupplement 268435456 TheGeorgian
Supplementcodetable.
Tifinagh 536870912 TheTifinaghcodetable.
EthiopicExtended 16384 TheEthiopicExtendedcodetable.
SeeAlso
Microsoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
SanitizerClassMembersSeeAlso
SanitizesinputHTMLtomakeitsafetobedisplayedonabrowserbyremovingpotentiallydangeroustags.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticclassSanitizer
VisualBasic
PublicNotInheritableClassSanitizer
VisualC++
publicrefclassSanitizerabstractsealed
RemarksThissantizationlibraryusesthePrincipleofInclusions,sometimesreferredtoas"safe-listing"toprovideprotectionagainstinjectionattacks.Withsafe-listingprotection,algorithmslookforvalidinputsandautomaticallytreateverythingoutsidethatsetasapotentialattack.Thislibrarycanbeusedasadefenseindepthapproachwithothermitigationtechniques.
InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.Sanitizer
SeeAlso
SanitizerMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
Methods
Name DescriptionGetSafeHtml(String) SanitizesinputHTML
documentforsafedisplayonbrowser.
GetSafeHtml(TextReader,Stream) SanitizesinputHTMLdocumentforsafedisplayonbrowser.
GetSafeHtml(TextReader,TextWriter)
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
GetSafeHtmlFragment(String) SanitizesinputHTMLfragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,Stream)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,TextWriter)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
SeeAlso
SanitizerClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
Methods
Name DescriptionGetSafeHtml(String) SanitizesinputHTML
documentforsafedisplayonbrowser.
GetSafeHtml(TextReader,Stream) SanitizesinputHTMLdocumentforsafedisplayonbrowser.
GetSafeHtml(TextReader,TextWriter)
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
GetSafeHtmlFragment(String) SanitizesinputHTMLfragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,Stream)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,TextWriter)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
SeeAlso
SanitizerClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionGetSafeHtml(String) SanitizesinputHTMLdocumentfor
safedisplayonbrowser.GetSafeHtml(TextReader,Stream)
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
GetSafeHtml(TextReader,TextWriter)
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
SeeAlso
SanitizerClassSanitizerMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlMethod(String)SanitizerClassSeeAlso
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringGetSafeHtml(
stringinput
)
VisualBasic
PublicSharedFunctionGetSafeHtml(_
inputAsString_
)AsString
VisualC++
public:
staticString^GetSafeHtml(
String^input
)
ParametersinputType:System.StringMaliciousHTMLDocument
ReturnValueAsantiziedHTMLdocument
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlMethod(TextReader,Stream)SanitizerClassSeeAlso
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticvoidGetSafeHtml(
TextReadersourceReader,
StreamdestinationStream
)
VisualBasic
PublicSharedSubGetSafeHtml(_
sourceReaderAsTextReader,_
destinationStreamAsStream_
)
VisualC++
public:
staticvoidGetSafeHtml(
TextReader^sourceReader,
Stream^destinationStream
)
ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationStreamType:System.IO.StreamStreamtowritesafeHTML
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlMethod(TextReader,TextWriter)SanitizerClassSeeAlso
SanitizesinputHTMLdocumentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticvoidGetSafeHtml(
TextReadersourceReader,
TextWriterdestinationWriter
)
VisualBasic
PublicSharedSubGetSafeHtml(_
sourceReaderAsTextReader,_
destinationWriterAsTextWriter_
)
VisualC++
public:
staticvoidGetSafeHtml(
TextReader^sourceReader,
TextWriter^destinationWriter
)
ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationWriterType:System.IO.TextWriterTextWritertowritesafeHTML
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
OverloadList
Name DescriptionGetSafeHtmlFragment(String) SanitizesinputHTML
fragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,Stream)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
GetSafeHtmlFragment(TextReader,TextWriter)
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
SeeAlso
SanitizerClassSanitizerMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlFragmentMethod(String)SanitizerClassSeeAlso
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticstringGetSafeHtmlFragment(
stringinput
)
VisualBasic
PublicSharedFunctionGetSafeHtmlFragment(_
inputAsString_
)AsString
VisualC++
public:
staticString^GetSafeHtmlFragment(
String^input
)
ParametersinputType:System.StringMaliciousHTMLfragment
ReturnValueSafeHTMLfragment
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlFragmentMethod(TextReader,Stream)SanitizerClassSeeAlso
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticvoidGetSafeHtmlFragment(
TextReadersourceReader,
StreamdestinationStream
)
VisualBasic
PublicSharedSubGetSafeHtmlFragment(_
sourceReaderAsTextReader,_
destinationStreamAsStream_
)
VisualC++
public:
staticvoidGetSafeHtmlFragment(
TextReader^sourceReader,
Stream^destinationStream
)
ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationStreamType:System.IO.StreamStreamtowritesafeHTML
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
Sanitizer.GetSafeHtmlFragmentMethod(TextReader,TextWriter)SanitizerClassSeeAlso
SanitizesinputHTMLfragmentforsafedisplayonbrowser.
Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0
Syntax
C#
publicstaticvoidGetSafeHtmlFragment(
TextReadersourceReader,
TextWriterdestinationWriter
)
VisualBasic
PublicSharedSubGetSafeHtmlFragment(_
sourceReaderAsTextReader,_
destinationWriterAsTextWriter_
)
VisualC++
public:
staticvoidGetSafeHtmlFragment(
TextReader^sourceReader,
TextWriter^destinationWriter
)
ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationWriterType:System.IO.TextWriterStreamtowritesafeHTML
RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.
SeeAlso
SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UnicodeCharacterEncoderClassMembersSeeAlso
ProvidesHTMLencodingmethods.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticclassUnicodeCharacterEncoder
VisualBasic
PublicNotInheritableClassUnicodeCharacterEncoder
VisualC++
publicrefclassUnicodeCharacterEncoderabstractsealed
InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.UnicodeCharacterEncoder
SeeAlso
UnicodeCharacterEncoderMembersMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UnicodeCharacterEncoderMembersUnicodeCharacterEncoderClassMethodsSeeAlso
TheUnicodeCharacterEncodertypeexposesthefollowingmembers.
SeeAlso
UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UnicodeCharacterEncoderMethodsUnicodeCharacterEncoderClassSeeAlso
TheUnicodeCharacterEncodertypeexposesthefollowingmembers.
SeeAlso
UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UnicodeCharacterEncoder.MarkAsSafeMethodUnicodeCharacterEncoderClassSeeAlso
Markscharactersfromthespecifiedlanguagesassafe.
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
publicstaticvoidMarkAsSafe(
LowerCodeChartslowerCodeCharts,
LowerMidCodeChartslowerMidCodeCharts,
MidCodeChartsmidCodeCharts,
UpperMidCodeChartsupperMidCodeCharts,
UpperCodeChartsupperCodeCharts
)
VisualBasic
PublicSharedSubMarkAsSafe(_
lowerCodeChartsAsLowerCodeCharts,_
lowerMidCodeChartsAsLowerMidCodeCharts,_
midCodeChartsAsMidCodeCharts,_
upperMidCodeChartsAsUpperMidCodeCharts,_
upperCodeChartsAsUpperCodeCharts_
)
VisualC++
public:
staticvoidMarkAsSafe(
LowerCodeChartslowerCodeCharts,
LowerMidCodeChartslowerMidCodeCharts,
MidCodeChartsmidCodeCharts,
UpperMidCodeChartsupperMidCodeCharts,
UpperCodeChartsupperCodeCharts
)
Parameters
lowerCodeChartsType:Microsoft.Security.Application.LowerCodeChartsThecombinationoflowercodechartstouse.lowerMidCodeChartsType:Microsoft.Security.Application.LowerMidCodeChartsThecombinationoflowermidcodechartstouse.midCodeChartsType:Microsoft.Security.Application.MidCodeChartsThecombinationofmidcodechartstouse.upperMidCodeChartsType:Microsoft.Security.Application.UpperMidCodeChartsThecombinationofuppermidcodechartstouse.upperCodeChartsType:Microsoft.Security.Application.UpperCodeChartsThecombinationofuppercodechartstouse.
SeeAlso
UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UpperCodeChartsEnumerationSeeAlso
ValuesfortheuppersectionoftheUTF8Unicodecodetables,fromUA8E0toUFFFD
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[FlagsAttribute]
publicenumUpperCodeCharts
VisualBasic
<FlagsAttribute>_
PublicEnumerationUpperCodeCharts
VisualC++
[FlagsAttribute]
publicenumclassUpperCodeCharts
Members
Membername Value DescriptionNone 0 Nocodechartsfrom
theupperregionoftheUnicodetablesaresafe-listed.
DevanagariExtended 1 TheDevanagariExtendedcodetable.
KayahLi 2 TheKayahLicodetable.
Rejang 4 TheRejangcodetable.
HangulJamoExtendedA 8 TheHangulJamoExtended-Acodetable.
Javanese 16 TheJavanesecodetable.
Cham 32 TheChamcodetable.MyanmarExtendedA 64 TheMyanmar
Extended-Acodetable.
TaiViet 128 TheTaiVietcodetable.
MeeteiMayek 256 TheMeeteiMayekcodetable.
HangulSyllables 512 TheHangulSyllablescodetable.
HangulJamoExtendedB 1024 TheHangulJamoExtended-Bcodetable.
CjkCompatibilityIdeographs 2048 TheCJKCompatibilityIdeographscodetable.
AlphabeticPresentationForms 4096 TheAlphabeticPresentationFormscodetable.
ArabicPresentationFormsA 8192 TheArabicPresentationForms-Acodetable.
VariationSelectors 16384 TheVariationSelectorscodetable.
VerticalForms 32768 TheVerticalFormscodetable.
CombiningHalfMarks 65536 TheCombiningHalfMarkscodetable.
CjkCompatibilityForms 131072 TheCJKCompatibilityFormscodetable.
SmallFormVariants 262144 TheSmallFormVariantscodetable.
ArabicPresentationFormsB 524288 TheArabicPresentationForms-Bcodetable.
HalfWidthAndFullWidthForms 1048576 ThehalfwidthandfullwidthFormscodetable.
Specials 2097152 TheSpecialscodetable.
SeeAlso
Microsoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.
MicrosoftAntiXSSLibrary
UpperMidCodeChartsEnumerationSeeAlso
ValuesfortheuppermiddlesectionoftheUTF8Unicodecodetables,fromU2DE0toUA8DF
Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0
Syntax
C#
[FlagsAttribute]
publicenumUpperMidCodeCharts
VisualBasic
<FlagsAttribute>_
PublicEnumerationUpperMidCodeCharts
VisualC++
[FlagsAttribute]
publicenumclassUpperMidCodeCharts
Members
Membername Value DescriptionNone 0 Nocodecharts
fromthelowerregionoftheUnicodetablesaresafe-listed.
CyrillicExtendedA 1 TheCyrillicExtended-Acodetable.
SupplementalPunctuation 2 TheSupplementalPunctuationcodetable.
CjkRadicalsSupplement 4 TheCJKRadicialsSupplementcodetable.
KangxiRadicals 8 TheKangxiRadicialscodetable.
IdeographicDescriptionCharacters 16 TheIdeographicDescriptionCharacterscodetable.
CjkSymbolsAndPunctuation 32 TheCJKSymbolsandPunctuationcodetable.
Hiragana 64 TheHiraganacodetable.
Katakana 128 TheKatakanacodetable.
Bopomofo 256 TheBopomofo
codetable.HangulCompatibilityJamo 512 TheHangul
CompatbilityJamocodetable.
Kanbun 1024 TheKanbuncodetable.
BopomofoExtended 2048 TheBopomofuExtendedcodetable.
CjkStrokes 4096 TheCJKStrokescodetable.
KatakanaPhoneticExtensions 8192 TheKatakanaPhoneticExtensoinscodetable.
EnclosedCjkLettersAndMonths 16384 TheEnclosedCJKLettersandMonthscodetable.
CjkCompatibility 32768 TheCJKCompatibilitycodetable.
CjkUnifiedIdeographsExtensionA 65536 TheCJKUnifiedIdeographsExtensionAcodetable.
YijingHexagramSymbols 131072 TheYijingHexagramSymbolscodetable.
CjkUnifiedIdeographs 262144 TheCJKUnifiedIdeographs
codetable.YiSyllables 524288 TheYi
Syllablescodetable.
YiRadicals 1048576 TheYiRadicalscodetable.
Lisu 2097152 TheLisucodetable.
Vai 4194304 TheVaicodetable.
CyrillicExtendedB 8388608 TheCyrillicExtended-Bcodetable.
Bamum 16777216 TheBamumcodetable.
ModifierToneLetters 33554432 TheModifierToneLetterscodetable.
LatinExtendedD 67108864 TheLatinExtended-Dcodetable.
SylotiNagri 134217728 TheSylotiNagricodetable.
CommonIndicNumberForms 268435456 TheCommonIndicNumberFormscodetable.
Phagspa 536870912 ThePhags-pacodetable.
Saurashtra 1073741824 TheSaurashtracodetable.
SeeAlso
Microsoft.Security.ApplicationNamespace
(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.