What security protection does HTML.Encode() afford me when I’m dealing with user input, specifically scripting problems?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Please see Server.HTMLEncode:
The HTMLEncode method applies HTML
encoding to a specified string. This
is useful as a quick method of
encoding form data and other client
request data before using it in your
Web application. Encoding data
converts potentially unsafe characters
to their HTML-encoded equivalent.If the string to be encoded is not
DBCS, HTMLEncode converts characters
as follows:
- The less-than character (<) is converted to
<.- The greater-than character (>) is converted to
>.- The ampersand character (&) is converted to
&.- The double-quote character (“) is converted to
".- Any ASCII code character whose code is greater-than or equal to 0x80
is converted to&#<number>, where
is the ASCII character value.
This means that if you are going to dump some data to the request stream and that data was saved to the database from a user-entered field it will prevent users from being able to say that their first name is:
<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
In this example, Server.HTMLEncode would encode the <, >, and " characters leaving this:
<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
which, if rendered in the browser will look like this:
<script type=”text/javascript”>
function doSomethingEvil() { /* … */ }
</script>
rather than actually executing.
Method 2
it prevents XSS (cross site scripting) attacks, since if it prevents users input to turn into scripts that can be used to perform this type of attack
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0