How to config AntiXSS with .Net 3.5?

Question

Hi I am using Ajax HtmlEditorExtender for my one of TextBox. It is strongly recommended to use the AntiXSS Sanitizer. Following is what I added in my web.config.

<configSections>
<sectionGroup name="system.web">
            <section name="sanitizer" requirePermission="false" type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit"/>
        </sectionGroup>

 </configSections>

    <system.web>
        <compilation targetFramework="3.5" debug="true"/>
        <sanitizer defaultProvider="AntiXssSanitizerProvider">
            <providers>
                <add name="AntiXssSanitizerProvider" type="AjaxControlToolkit.Sanitizer.AntiXssSanitizerProvider"></add>
            </providers>
        </sanitizer>
    </system.web>

But I got two errors in my web.config. (1) The 'targetFramework' attribute is not declared. (2) The element 'system.web' has invalid child element 'sanitizer'.

Can anyone tell me how to fix them?

Answer 1

The targetFramework attribute was introduced in .NET 4.0, if you're getting the ... is not declared error it probably means the AppPool you're running your application under is running the .NET 2.0 framework.

To fix this you can either:

1. In IIS, change the version of the .NET framework for the AppPool to .NET 4.0, or select a different AppPool that is configured to use .NET 4.0

   or

2. Remove the targetFramework attribute from your web.config, in which case ASP.NET will default to whichever version the AppPool you're using is configured to use.