1

I have been trying to decode a string like this:

&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041

into:

javascript:alert('XSS')

in c# but nothing works. I have tried using the AntiXss library to decode the string but it returns me the exact same value entered. Could someone please assist me? I am trying to sanitize html coming in c# to do anti xss injection.

yveslebeau
  • 104
  • 2
  • 11
  • so what is it that is not working? – Maytham Fahmi Jul 30 '18 at 09:40
  • 1
    This old question says you want [HtmlDecode](https://stackoverflow.com/questions/1562360/converting-amp-to-etc), but I'd guess that would want a trailing `;` on each entity group. – Rup Jul 30 '18 at 09:42
  • I have tried HttpUtility.HtmlDecode on it but to no avail. It just returns me the same string I pass to it – yveslebeau Jul 30 '18 at 09:43
  • 1
    Yes, because it requires entities be terminated with a `;`: https://referencesource.microsoft.com/#System/net/System/Net/WebUtility.cs,184 "We found a '&'. Now look for the next ';' or '&'. The idea is that if we find another '&' before finding a ';', then this is not an entity, and the next '&' might start a real entity (VSWhidbey 275184)". If you really need to decode these, which AFAICS are invalid, you could take that code and modify it. – Rup Jul 30 '18 at 09:47
  • Awesome, thank you very much. I will try that. If it works could you make it a post and I can make it the accepted answer? – yveslebeau Jul 30 '18 at 09:50

0 Answers0