Have you come across any better strategies? Also, in 4.3.0, the Microsoft.Security.Application.Encoder.CssEncode is turning the styles into this: style=”text0002Dalign0003A00020center0003B00020″ Is this intended?
I’m afraid to say, the AntiXSS module is now completely and hopelessly broken in this regard. I honestly haven’t found any good workarounds as long as AntiXSS is involved so we’ve built a module from scratch using HtmlAgilityPack and regex filtering attributes. The custom filtering takes place around lines 145 – 154 in my example.
It’s not ideal, but it seems to work so far (our bit of code is tied up in licenses, but there are lots of examples out there of stripping unsafe chars).
We’ve also moved on from the .Net framework lately. There were too many breaking changes, too many hurdles and, dare I say, too much bloat in lot of the web development tech Microsoft has put out to justify the time cost to developers. Our operation has since switched almost entirely to Python and PHP (yes, even PHP was more attractive here). These are just symptoms of a bigger cultural problem at Microsoft and I don’t know if things will ever change under new management.
If you can at all move on from ASP.Net, I’d strongly recommend you do so. I already did.
This page intentionally left ugly 
Seems like a good a place as any to ask about your AntiXss article: https://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
Have you come across any better strategies? Also, in 4.3.0, the Microsoft.Security.Application.Encoder.CssEncode is turning the styles into this: style=”text0002Dalign0003A00020center0003B00020″ Is this intended?
Thank you sir,
Jay
Hi Jay,
I’m afraid to say, the AntiXSS module is now completely and hopelessly broken in this regard. I honestly haven’t found any good workarounds as long as AntiXSS is involved so we’ve built a module from scratch using HtmlAgilityPack and regex filtering attributes. The custom filtering takes place around lines 145 – 154 in my example.
It’s not ideal, but it seems to work so far (our bit of code is tied up in licenses, but there are lots of examples out there of stripping unsafe chars).
We’ve also moved on from the .Net framework lately. There were too many breaking changes, too many hurdles and, dare I say, too much bloat in lot of the web development tech Microsoft has put out to justify the time cost to developers. Our operation has since switched almost entirely to Python and PHP (yes, even PHP was more attractive here). These are just symptoms of a bigger cultural problem at Microsoft and I don’t know if things will ever change under new management.
If you can at all move on from ASP.Net, I’d strongly recommend you do so. I already did.
Good luck on your project!
– e