473,769 Members | 5,757 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

When to use HTML encode and when not to?

How does HTML.encode work?

I'm trying to save text in a hidden form field into a SQL DB. The tedt is
HTML (from a WYSIWYG editor...X-standard).

One problem I have is that stray apostrophe's in the HTML text are throwing
a SQL error. Html.encode doesn't seem to do anything with these, eh?

Secondly, does HTMLencode also encode already encoded items?

For instance, if I have text in my editor that contains an HTML entity like
< and then I run THAT through HTML.encode, will that decode along with
the html when I use HTML.decode?

-Darrel
Nov 18 '05 #1
4 7578
"Darrel" <no*****@nospam .com> wrote in
news:et******** ******@TK2MSFTN GP10.phx.gbl:
How does HTML.encode work?
It converts reserved HTML characters into their HTML safe equivalent.
I'm trying to save text in a hidden form field into a SQL DB. The tedt
is HTML (from a WYSIWYG editor...X-standard).
Don't HTML encode the text.
One problem I have is that stray apostrophe's in the HTML text are
throwing a SQL error. Html.encode doesn't seem to do anything with
these, eh?
Nope - you can use SQL parameters to avoid this error, or you can write
your own SQL delimiting function (just double up all single quotes).
Secondly, does HTMLencode also encode already encoded items?
Yes, but since the first pass would have converted everything into HTML
safe equivalents, the second pass does nothing.
For instance, if I have text in my editor that contains an HTML entity
like &lt; and then I run THAT through HTML.encode, will that decode
along with the html when I use HTML.decode?


If you run &lt; through HTML encode you'll get &lt; as there are no
reserved characters to encode.
--
Lucas Tam (RE********@rog ers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 18 '05 #2
"Lucas Tam" <RE********@rog ers.com> wrote in message
news:Xn******** *************** ****@140.99.99. 130...
"Darrel" <no*****@nospam .com> wrote in
news:et******** ******@TK2MSFTN GP10.phx.gbl: <snip>
I'm trying to save text in a hidden form field into a SQL DB. The tedt
is HTML (from a WYSIWYG editor...X-standard).


Don't HTML encode the text.


Sorry, but that's simply not the case. In general, all text that is not
hard-coded at design-time should be HTML-encoded. If it isn't, the text
could end up altering the page in such a way as to change its behaviour.
This isn't simply a matter of ensuring expected functionality. It's also a
security issue due to the potential for script and HTML injection.

That said, the built-in ASP.NET controls will perform some HTML-encoding for
you (e.g.: in a multi-line textbox that will render as a textarea element),
but not all that is necessary, so you should always ensure that your code
performs the encoding if the framework code doesn't.

Secondly, does HTMLencode also encode already encoded items?


Yes, but since the first pass would have converted everything into HTML
safe equivalents, the second pass does nothing.


Nope. It will re-encode, as in the example below.
For instance, if I have text in my editor that contains an HTML entity
like &lt; and then I run THAT through HTML.encode, will that decode
along with the html when I use HTML.decode?


If you run &lt; through HTML encode you'll get &lt; as there are no
reserved characters to encode.


The ampersand is a reserved chacter. If you HTML-encode "&lt;", you'll get
"&amp;lt;".



--
Lucas Tam (RE********@rog ers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/

Nov 18 '05 #3
Please google sql injection attacks. It sounds like your app is vulnerable
to them. This doesn't answer your question, but it looks like other people
already have.
Nov 18 '05 #4
Server.HTMLEnco de(string) encodes the given string as HTML. So, for example,
if you use Server.HtmlEnco de("<!--some text -->"), it encodes it as
"&LT;!--some text--&GT;" so that when it appears in an HTML document, it
appears as "<!--some text-->". This is because some text characters are
treated differently by HTML documents, since HTML documents are pure text.
The example, above, if not Html-Encoded, would not appear in the document at
all, as the angle brackets and other symbols create an HTML comment. So, as
far as Server.HtmlEnco de, and when to use it, use it when displaying text in
HTML.

The single quote issue has nothing to do with HTML. It has to do with the
SQL language. The single quote is a text delimiter in SQL. To escape it,
double it. Example:

SELECT * FROM MyTable WHERE LastName = 'O''Malley'

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
I get paid good money to
solve puzzles for a living
"Darrel" <no*****@nospam .com> wrote in message
news:et******** ******@TK2MSFTN GP10.phx.gbl...
How does HTML.encode work?

I'm trying to save text in a hidden form field into a SQL DB. The tedt is
HTML (from a WYSIWYG editor...X-standard).

One problem I have is that stray apostrophe's in the HTML text are throwing a SQL error. Html.encode doesn't seem to do anything with these, eh?

Secondly, does HTMLencode also encode already encoded items?

For instance, if I have text in my editor that contains an HTML entity like &lt; and then I run THAT through HTML.encode, will that decode along with
the html when I use HTML.decode?

-Darrel

Nov 18 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
4925
Encode And Decode entirety of Text or Html to '%xx' format
by: Newbie | last post by:
How would I modify this form to encode *all* the characters in the 'source' textarea to the '%xx' format & place result code into the 'output' textarea? (cross browser compatable) Any help is appreciated. Regards.
Javascript
2
3308
onSubmit ALWAYS returns true when it sets location.href?
by: OtisUsenet | last post by:
Hello, I am trying to call Javascript from FORM's onSubmit, and return false, so the form is not actually submitted. Normally I can just add 'return false;' to onSubmit to accomplish this, like so: <form name="XX" method="get" action="/Foo" onsubmit="onSearch(); return false;">
Javascript
0
1459
HTML encode problem
by: tkcheng | last post by:
Helllo, For security reason, we are changing our form submission coding with HTML encode on all the text fields to block the SQL injection. However, we encounter a problem on double byte character (we will input english and chinese character into the fields). If we input double byte character into the HTML encode fields and save to SQL database (our IIS server locale is in English language), the data will be corrupted. Could anyone...
ASP / Active Server Pages
2
11522
The right way to Encode html output
by: ViperDK | last post by:
What is the best way for that? I store all Data in the original form in the Database. To prevent output fields (especially the fields everyone can use) to do bad things like killing the page-design or even worse attacking my site with javascript directives i use stuff like (WebControls.Label)Output.Text = HttpUtility.HtmlEncode(userDefinedData); and my own functions which allow Line-Breaks and handle links. But that way seems not to be...
ASP.NET
7
16601
How to encode/decode a HTML using C++??
by: sarada7 | last post by:
Hi, Is there a way to encode/decode HTML using C++?? Thanks, Sarada.
C / C++
10
4846
Html character entity conversion
by: pak.andrei | last post by:
Here is my script: from mechanize import * from BeautifulSoup import * import StringIO b = Browser() f = b.open("http://www.translate.ru/text.asp?lang=ru") b.select_form(nr=0) b = "hello python" html = b.submit().get_data()
Python
5
4897
Html-encode all characters not in the current character set
by: Timothy Madden | last post by:
Hello Is there a function that will allow me to output text written in utf-8 (from db for example) if my document has Content-Type: text/html; charset=ISO-8859-1 I mean htmlspecialchars() and htmlentities() will only convert characters that have an associated entity defined in HTML.
PHP
4
2512
HTML Tables
by: Amie | last post by:
Afternoon all. Just want to know how to create html tables using a for loop. I need to display 34 html tables, so I figured a for loop will do. Please show me an example of how to do that. Also how do I display the results of an sql query onto the html tables? Thanks in advance
Python
4
3196
sanjib65
Is Html.Encode() method needed?
by: sanjib65 | last post by:
Whenever I take user's input through TextBox or anything else, it's good practice to use Html.Encode(TextBox1.Text) for the security purpose. But is it neccessary now as ASP.NET 2.0 has strengthened the security measure and in 3.5 it is probably in-built. I've tried to push html code through TextBox(wjthout Html.Encode()) but Framework resisted it!
ASP.NET
0
9583
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9423
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10210
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
9990
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
1
7406
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5297
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5445
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3955
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2814
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us