Reputation: 2098
HTML Rendering Escaped Characters
I'm currently working to solve a major permanent XSS vulnerability on my website. To do this, I am calling:
this.Title = System.Security.SecurityElement.Escape(this.Title);
On the values I am taking in, which properly escapes all of the characters that need to be escaped (<, >, &, etc.). My problem arises when I go to display this title elsewhere in my page:
<p> @title </p>
Which displays the string exactly as it appears, such as "< ;> ;, etc.".
To solve this problem, I have noticed that if I call:
<p> @html.raw(title) </p>
That the values are properly displayed on the page (<, >, etc.). But I am afraid that this still ensures a vulnerability. What is the best way to properly render the html onto the page? Am I doing anything wrong? Or am I properly using html.raw()?
Upvotes: 1
Views: 1722
Answers (1)
Reputation: 1756
You want to take and store the title as is comes in. Then you escape the title on output.
See answer on e.g. html/XSS escape on input vs output
Upvotes: 1
Related Questions
- Escape text for HTML
- ASP.NET MVC HTML Escape
- Convert string to escaped html
- Escaping special characters from html
- Decode HTML escaped characters back to normal string in C#
- Is there a ASP.NET method for escaping characters?
- How to prevent escaping of text in C# for ASP.NET?
- Special characters in html output
- Unescape the escape character in string before rendering
- Escape special characters