I have a textarea in an ASP.NET MVC Application where the user can type some text. When I show the text to the user, I use Html.Encode
to prevent malicious input. The problem is that the user can type in Spanish and maybe he types año
and the Encode
transforms this into año
. How Can I prevent this?
EDIT: In the generated HTML, I see this:
<a href="a1-'a1'-Cama&#241;o?sort=estadisticas#241;o">a1 'a1' Cama&#241;o</a>
Later in the page I have this, and this time the display is correct:
<b>a1 'a1' Camaño</b>
The first is generated this way:
<%= Html.RouteLink(Html.Encode(Model.NAME), ...... %>
and the second like this:
<%= Html.Encode(Model.NAME)%>
So my guess is that the problem is with the Html.RouteLink
.
Are you encoding twice accidentally?
For example, if you set the Textarea's content programmatically on the server side, it will encode the content automatically on render.
Try looking at the raw HTML output of the textarea.
Normally when you put escapes inside textarea content, it should shows up in the textarea decoded (displayed as the intended unescaped character).
So it might be a problem of accidentally Html.Encode twice unnescessarily.
If your data is already escaped, you might want to un-escape (Html.Decode) it before putting it in the textarea.
So my guess is that the problem is with the Html.RouteLink
Yep. You're not supposed to HTML-encode the parameter going into RouteLink, it generates the HTML itself and so will take care of escaping for you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With