Menu
I am not able to understand why Server.HtmlEncode is required? MSDN states that it is used to encode potentially unsafe characters into HTML-encoded equivalent.
Can someone give me some idea how these characters are unsafe and require us to use Server.HtmlEncode ?
Thanks.
274
One example of how characters can be unsafe is if the user submits a comment on your page. If the comment form does not use HtmlEncode then anything the user has just typed will now be visible as a comment on the page. In that case, a hacker could submit a comment like the following:
<script language="javascript" type="text/javascript">
window.location = 'http://server.com/viruspage.asp';
</script>
For each subsequent user who loads the page, the script will run (because it hasn't been encoded with HtmlEncode), redirecting each user to a page with viruses. This is a very simple example, but there are many other ways to input malicious data, potentially even giving hackers administrative access to your databases.
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
