shahjay748
shahjay748
Asp.net web forms uses & ; and " for it's internal post back and encoding those creates problems.
@mganss how can I replace that formatter so that & does not get encoded ?
@mganss e.g. Asp.net web form is posting data as below, where we cannot encode & FirstName=Jay&LastName=SHAH&Details=alert('xss') Hello World !&;"'=$? Please check below image - I get & encoded, but that's...
@mganss In Custom OutputFormatter, which method/property should I override to stop the encoding of & ? Overriding Attribute method is not helping here.
@mganss Below is the Input (3 form fields Firstname, LastName and Details - posted using form POST): FirstName=Jay&LastName=SHAH&Details=alert('xss') Hello World !&;"'=$?
@mganss Yes, but unfortunately, that's not an option as this is a huge legacy application and there're 100s of pages that have lots of fields which can have unsafe HTML....
@mganss It would be a great help if you can suggest any other way in your library to sanitize entire Request body, so we can just plug it in Asp.Net...
@mganss Yes, by overriding Read method and applying sanitizer there.