Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTML.Encode() - What/How does it prevent scripting security problems in ASP .NET?

Tags:

security

asp.net

What security protection does HTML.Encode() afford me when I'm dealing with user input, specifically scripting problems?

like image 528
Achilles Avatar asked Jun 18 '09 19:06

Achilles

People also ask

What is the purpose of HTML encoding?

HTML encoding ensures that text will be correctly displayed in the browser, not interpreted by the browser as HTML. For example, if a text string contains a less than sign (<) or greater than sign (>), the browser would interpret these characters as an opening or closing bracket of an HTML tag.

What is HTML encoding explain with an example?

HTML Encoding means to convert the document that contains special characters outside the range of normal seven-bit ASCII into a standard form. The type of encoding used is sent to the server in form of header information so that it can be easily and correctly parsed by the browsers.

How do you encode an HTML entity?

The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities().

2 Answers

Please see Server.HTMLEncode:

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.

If the string to be encoded is not DBCS, HTMLEncode converts characters as follows:

  • The less-than character (<) is converted to &lt;.
  • The greater-than character (>) is converted to &gt;.
  • The ampersand character (&) is converted to &amp;.
  • The double-quote character (") is converted to &quot;.
  • Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#<number>, where is the ASCII character value.

This means that if you are going to dump some data to the request stream and that data was saved to the database from a user-entered field it will prevent users from being able to say that their first name is:

<script type="text/javascript">
    function doSomethingEvil() { /* ... */ }
</script>

In this example, Server.HTMLEncode would encode the <, >, and " characters leaving this:

&lt;script type=&quot;text/javascript&quot;&gt;
    function doSomethingEvil() { /* ... */ }
&lt;/script&gt;

which, if rendered in the browser will look like this:

<script type="text/javascript"> function doSomethingEvil() { /* ... */ } </script>

rather than actually executing.

like image 151
Andrew Hare Avatar answered Sep 25 '22 13:09

Andrew Hare

it prevents XSS (cross site scripting) attacks, since if it prevents users input to turn into scripts that can be used to perform this type of attack

like image 43
BlackTigerX Avatar answered Sep 24 '22 13:09

BlackTigerX
Sign in to Comment

Related questions

Add Attachment base64 image in MailMessage and read it in html body
Get controller and action name from AuthorizationHandlerContext object
Duplicate Rows when Data Binding with LINQ to Entities
Books that will cover TDD, DDD and Design Patterns in .NET
filter the file type with the file upload control
mvc bind/post boolean to radiobutton
Is web.config or app.config cached in memory
asp.net webforms routing: optional parameters
Is ASP.Net a scripting language or a framework? [closed]
Formatting an asp:DataPager to show in ul li
How to align text to center in asp label
How to move a DataTable row to the first position of its DataTable
Required field validator not working when OnClientClick is added in the button
How to get ApplicationDbContext out of the Owin pipeline
Data caching per request in Owin application
Azure Website - Web.config transform fails "No element in the source document matches /configuration/system.identityModel/identityConfiguration"
How to get current UserId in Identity 3.0? User.GetUserId returns null
How to access the item being data bound during ItemDataBound?
HTML attribute bgcolor is deprecated: What To Use Instead?
Passing parameter to WebMethod with jQuery Ajax

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!