I use AntiXSS but I still can hack page

Question

I don't know if I am doing this right.
I first time build something to prevent attack on page.
I will start from the bottom:
I have property:

public string Description {get;set;}

User can set it's value through tinyMCE

tinyMCE.init({
            mode: "textareas",
            theme: "advanced",
            encoding : "xml"...

In controller before I save this in database I do:

model.Description = HttpUtility.HtmlDecode(model.Description);

In database I have a value like:

<p>bla bla bla</p>

I added AntiXSS library to my project:

public class AntiXssEncoder : HttpEncoder
    {
        public AntiXssEncoder() { }

        protected override void HtmlEncode(string value, TextWriter output)
        {
            output.Write(Encoder.HtmlEncode(value)); // on breakpoint code always get in here
        }
...

When I display data from database I use:

@Html.Raw(Model.Place.Description)

And it works fine I see only text. No Html tags. Breaklines work fine. I can style text with bold, italic etc.

But If I enter:

<script>alert(open to attack);</script>

I got alert window.
I don't understand do I need to do something more to prevent this?

Answer 1

I added AntiXSS library to my project

And where are you using it?

Make sure that you have not only added AntiXSS but you actually used it:

@Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(Model.Place.Description))

But remember that the new version of the AntiXSS library is a bit too restrictive and will strip tags like <strong> and <br> out which might not be desired.

As an alternative to the AntiXSS library you could use HTML Agility Pack to do this job. Rick Strahl blogged about a sample implementation.