I am working on a ASP.Net C# + jQuery ajax website project. I am trying to prevent xss attacks and I know below is not the full approach, but this is at the least what I should do - to use HtmlEncode when accepting free string input from users). And I really someone to kindly check if I am doing the right thing.
So let's say we have a scenario for which one of the page control is a "Description" text box and users can enter "free" string used to describe their product. To prevent from getting xss attacking inputs, on the server side Page Method, I wrapped up the "Description" text using HtmlUtility.HtmlEncode()
, so the string will be interpreted as pure text before going into database i.e. <script>
becomes >script<
.
The part that follows is what i am in doubt - how to handle the html encoded text before returning it back to the user?
When the user wants to view the Description text entered, the website retrieved from database and prints it out.
Is it logical to perform html decode on the description so the user will not see those wierd ><
characters? Will it defeat the purpose of using HtmlEncode in the first place? And if yes, is this the correct jQuery line to decode and print the text back to the users???
$("#txtDescription").val($(this).html(obj.Description).text();
Thank you very very much
Do NOT encode text going into the database. Store it in its raw, unfiltered form. Only encode HTML chracters when the string if being output into an HTML-capable context (such as output to the browser).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With