Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTML.Encode() - What/How does it prevent scripting security problems in ASP .NET?

What security protection does HTML.Encode() afford me when I'm dealing with user input, specifically scripting problems?

like image 528
Achilles Avatar asked Jun 18 '09 19:06

Achilles


People also ask

What is the purpose of HTML encoding?

HTML encoding ensures that text will be correctly displayed in the browser, not interpreted by the browser as HTML. For example, if a text string contains a less than sign (<) or greater than sign (>), the browser would interpret these characters as an opening or closing bracket of an HTML tag.

What is HTML encoding explain with an example?

HTML Encoding means to convert the document that contains special characters outside the range of normal seven-bit ASCII into a standard form. The type of encoding used is sent to the server in form of header information so that it can be easily and correctly parsed by the browsers.

How do you encode an HTML entity?

The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities().


2 Answers

Please see Server.HTMLEncode:

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.

If the string to be encoded is not DBCS, HTMLEncode converts characters as follows:

  • The less-than character (<) is converted to &lt;.
  • The greater-than character (>) is converted to &gt;.
  • The ampersand character (&) is converted to &amp;.
  • The double-quote character (") is converted to &quot;.
  • Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#<number>, where is the ASCII character value.

This means that if you are going to dump some data to the request stream and that data was saved to the database from a user-entered field it will prevent users from being able to say that their first name is:

<script type="text/javascript">
    function doSomethingEvil() { /* ... */ }
</script>

In this example, Server.HTMLEncode would encode the <, >, and " characters leaving this:

&lt;script type=&quot;text/javascript&quot;&gt;
    function doSomethingEvil() { /* ... */ }
&lt;/script&gt;

which, if rendered in the browser will look like this:

<script type="text/javascript"> function doSomethingEvil() { /* ... */ } </script>

rather than actually executing.

like image 151
Andrew Hare Avatar answered Sep 25 '22 13:09

Andrew Hare


it prevents XSS (cross site scripting) attacks, since if it prevents users input to turn into scripts that can be used to perform this type of attack

like image 43
BlackTigerX Avatar answered Sep 24 '22 13:09

BlackTigerX