I have a web application. I am using Angularjs and Web Api2.
I have a simple form where user can insert some free text that will be send via email to other people. The text is also saved on db and later can be shown in a web site page. I knew I didn't need to check the input of the user, because in web api, the text is automatically encoded. So I expected that if user, for example, type
I receive server side, in my web api controller, something like this:
I receive instead
How can I encode my input to be sure that the application do not receive XSS attack? Should I leave the input unchanged but change the value when I put it in the email? And when I save it in my database? It should saved in the form
and then encoded when I show it in the page?
In this moment I just added this in my web.config
<httpRuntime ... encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
But nothing seems to be changed.