Microsoft Web Protection Library Can you have your own whitelist? + other questions

If the Microsoft Web Protection Library can have custom white-lists http://wpl.codeplex.com/

I am also wondering do you need to do anything special to get it to work with a开发者_如何转开发sp.net mvc?

I am going through it's methods and I see

AntiXss..::.GetSafeHtml 
AntiXss..::.GetSafeHtmlFragment Method 
AntiXss..::.HtmlEncode Method 
AntiXss..::.JavaScriptEncode Method 
AntiXss..::.UrlEncode Method 

Is there something that does all these in one command or do I have to determine line by line which one to use?

Do I have to determine line by line which one to use

Yes, you have to decide which one to use. But that is not an issue with the library. Each kind of output needs its own enocding.

If you have

<script language="JavaScript" >
alert('<%=  Model.PropertyName %>')
 </script>

You need to Javascript Encode (The easiest attack would use ' which is not handled by HtmlEnocde)

But if you have

<a href="ur"><%= Model.PropertyName %></a>

You need to Html.Encode

I think GetSafeHtmlFragment is for usage as an Html-Attribute, but I am not so shure here.

I am also wondering do you need to do anything special to get it to work with asp.net mvc?

Just add the namespace to your view and us AntiXss.HtmlEncode("").

I have seen a a post where it was shown how you can configure ASP.NET MVC to use the AntiXss library for the handling of <%: %> but I think it doesn't help that much, because the helpers stille use the a hardcoded encoder.