Whenever I take user's input through TextBox or anything else, it's good practice to use Html.Encode(Tex tBox1.Text) for the security purpose.
But is it neccessary now as ASP.NET 2.0 has strengthened the security measure and in 3.5 it is probably in-built.
I've tried to push html code through TextBox(wjthout Html.Encode()) but Framework resisted it!
4  3186  Frinavale 9,735
Recognized Expert Moderator Expert
I'm not sure what the problem is?
Are you trying to upload HTML or JavaScript to a server?
ASP.NET has configurable security settings that check for potential cross site scripting attacks. It restricts certain data from being uploaded to the server. If your application is expecting this type of data then you should cautiously look into configuring the security settings to allow this to be entered.
-Frinny
Many thanks Frinny.
Probably I' could not clarify my point clearly and messed up things :)
Actually I have no intention to inject any malicious code to anywhere, what I wanted to know whether Html.Encode() at all neccesssary for my site(especially when I take user inputs) or the .NET Framework has its built-in mrthod to keep a check on this?
 Frinavale 9,735
Recognized Expert Moderator Expert
It is a good idea to use the Html.Encode() method.
The Encode method transforms any special characters (like <> etc) into the ASCII equivalent.
Let's say the user enters:
<script type="text/javascript">... some nasty script...</script>
It is most likely that ASP.NET will detect this as an attempt at cross site scripting and will throw a security error.
Great you're protected in this instance.
Now let's say that somehow the data stored in the database (maybe from another application or say the security settings for the web applications were configured to allow this) was:
<script type="text/javascript">... some nasty script... </script>
If you send this to the browser as is, the browser will interpret the script between the <script></script> tags and run the code. This could be very bad for you and your end user (the script could be doing anything: redirecting requests to another site first...gatheri ng information and sending it off to some where else...or anything really).
If you had used the Encode method the <> would have been transformed into their ASCII equivalent and the browser would just display the content as text instead of interpreting the text as code and executing it.
Data should never be trusted.
You should always take care to protect yourselves and your client.
The Encode method adds that extra bit of security to ensure that bad things don't happen.
-Frinny
Many thanks Frinny, you have explained a very important affair in an excellent manner.
In an hurry I had mistakenly written Html.Encode(), actually it should be either httpUtility.Htm lEncode() or Server.HtmlEnco de() method.
Both are required for the untrusted data(whic you have mentioned corrrectly, "Data should never be truate"), that is placed in the Text property.
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Terri |
last post by:
I want to send emails that would include a link to an asp page. The link
would look like
http://10.0.0.10/ContactDetails.asp?ID=18484
How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.
thanks
|
by: Newbie |
last post by:
How would I modify this form
to encode *all* the characters
in the 'source' textarea to the
'%xx' format & place result
code into the 'output' textarea?
(cross browser compatable)
Any help is appreciated.
Regards.
|
by: Darrel |
last post by:
How does HTML.encode work?
I'm trying to save text in a hidden form field into a SQL DB. The tedt is
HTML (from a WYSIWYG editor...X-standard).
One problem I have is that stray apostrophe's in the HTML text are throwing
a SQL error. Html.encode doesn't seem to do anything with these, eh?
Secondly, does HTMLencode also encode already encoded items?
|
by: Steven Berkovitz |
last post by:
Hi there,
I am having a problem where if i add an attribute to a control at runtime
the rendered attribute is HTML encoded.
For example, on a textbox:
textBox.Attributes = "if(x && y) alert('hello');";
Gets rendered as:
|
by: pak.andrei |
last post by:
Here is my script:
from mechanize import *
from BeautifulSoup import *
import StringIO
b = Browser()
f = b.open("http://www.translate.ru/text.asp?lang=ru")
b.select_form(nr=0)
b = "hello python"
html = b.submit().get_data()
| | |
by: erikcw |
last post by:
Hi,
I'm trying to build a SQL string
sql = """INSERT INTO ag ('cid', 'ag', 'test') VALUES(%i, %s, %d)""",
(cid, ag, self.data)
It raises this error: AttributeError: 'tuple' object has no attribute
'encode'
|
by: clintonG |
last post by:
Can anybody make sense of this crazy and inconsistent results?
// IE7 Feed Reading View disabled displays this raw XML
<?xml version="1.0" encoding="utf-8" ?>
<!-- AT&T HTML entities & XML <elementsare displayed -->
<rss version="2.0">
<channel>
<title>AT&T HTML entities & XML <elementsare displayed</title>
....
<description>
|
by: Logan1337 |
last post by:
Hello. I need to take a string in UTF-8 with extended characters (e.g trademark, curly quotes, etc) and encode it for html, with either the html named entities or xml numbered (unicode) entities.
I've tried HttpUtility.HtmlEncode(), but from what I can gather, this function is really (at least originally) only intended to prevent cross-site scripting, and therefore only encodes some characters, leaving the others unchanged.
For example,...
|
by: J Peyret |
last post by:
Well, as usual I am confused by unicode encoding errors.
I have a string with problematic characters in it which I'd like to
put into a postgresql table.
That results in a postgresql error so I am trying to fix things with
<string>.encode
he Company�s ticker
Trying for an encode:
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
