Menu
Which should I use?
<input type="hidden" name="first_name"
value="<%= person.first_name %>" />
or
<input type="hidden" name="first_name"
value="<%= Html.Encode( person.first_name ) %>" />
365
URL encoding converts characters into a format that can be transmitted over the Internet. URLs can only be sent over the Internet using the ASCII character-set. Since URLs often contain characters outside the ASCII set, the URL has to be converted into a valid ASCII format.
On the htmlEncode function the innerText of the element is set, and the encoded innerHTML is retrieved. The innerHTML value of the element is set on the htmlDecode function the innerText is retrieved. This method will work fine in many scenarios, but in some cases, you will end up with a XSS vulnerability.
Any time you are trying to output data that could include untrusted html, you should use HTMLENCODE . Encodes text and merge field values for use in HTML by replacing characters that are reserved in HTML, such as the greater-than sign ( > ), with HTML entity equivalents, such as > .
HTML attribute encoding is a superset of HTML encoding and encodes additional characters such as ” and '. Before putting untrusted data into JavaScript place the data in an HTML element whose contents you retrieve at runtime. If this is not possible then ensure the data is JavaScript encoded.
You should Html.Encode else a " in the field could lead to injection problems
161
If you want to set a default value for an HTML element, you have to encode the HTML special characters inside the value using character references.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
