Is Html.Encode() method needed?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • sanjib65
    New Member
    • Nov 2009
    • 102
    #1

    Is Html.Encode() method needed?

    Whenever I take user's input through TextBox or anything else, it's good practice to use Html.Encode(Tex tBox1.Text) for the security purpose.
    But is it neccessary now as ASP.NET 2.0 has strengthened the security measure and in 3.5 it is probably in-built.
    I've tried to push html code through TextBox(wjthout Html.Encode()) but Framework resisted it!
    Tags: asp.net, html.encode()
    • Frinavale
      Recognized Expert Expert
      • Oct 2006
      • 9749
      #2
      I'm not sure what the problem is?
      Are you trying to upload HTML or JavaScript to a server?

      ASP.NET has configurable security settings that check for potential cross site scripting attacks. It restricts certain data from being uploaded to the server. If your application is expecting this type of data then you should cautiously look into configuring the security settings to allow this to be entered.

      -Frinny

        Comment

        • sanjib65
          New Member
          • Nov 2009
          • 102
          #3
          Many thanks Frinny.
          Probably I' could not clarify my point clearly and messed up things :)
          Actually I have no intention to inject any malicious code to anywhere, what I wanted to know whether Html.Encode() at all neccesssary for my site(especially when I take user inputs) or the .NET Framework has its built-in mrthod to keep a check on this?

            Comment

            • Frinavale
              Recognized Expert Expert
              • Oct 2006
              • 9749
              #4
              It is a good idea to use the Html.Encode() method.

              The Encode method transforms any special characters (like <> etc) into the ASCII equivalent.

              Let's say the user enters:
              <script type="text/javascript">... some nasty script...</script>

              It is most likely that ASP.NET will detect this as an attempt at cross site scripting and will throw a security error.

              Great you're protected in this instance.

              Now let's say that somehow the data stored in the database (maybe from another application or say the security settings for the web applications were configured to allow this) was:

              <script type="text/javascript">... some nasty script... </script>

              If you send this to the browser as is, the browser will interpret the script between the <script></script> tags and run the code. This could be very bad for you and your end user (the script could be doing anything: redirecting requests to another site first...gatheri ng information and sending it off to some where else...or anything really).

              If you had used the Encode method the <> would have been transformed into their ASCII equivalent and the browser would just display the content as text instead of interpreting the text as code and executing it.

              Data should never be trusted.
              You should always take care to protect yourselves and your client.
              The Encode method adds that extra bit of security to ensure that bad things don't happen.

              -Frinny

                Comment

                • sanjib65
                  New Member
                  • Nov 2009
                  • 102
                  #5
                  Many thanks Frinny, you have explained a very important affair in an excellent manner.
                  In an hurry I had mistakenly written Html.Encode(), actually it should be either httpUtility.Htm lEncode() or Server.HtmlEnco de() method.
                  Both are required for the untrusted data(whic you have mentioned corrrectly, "Data should never be truate"), that is placed in the Text property.

                    Comment

                    Previous template Next
                    Working...