Reputation:
Encode and decode html to prevent xss in VB
I want to prevent xss in my application. I have an text input for which I should be able to accept for example <script>alert(1)</script> but as I save this, if I encode it using : System.Web.HttpUtility.HtmlEncode(Me.txtUsername.Text)
I will be able to save the encoded version of this string:
<script>alert(1)</script>
how should I show this later on without letting the script be executed?
if I decode it the script will be executed.
I want to later on show this as <script>alert(1)</script>
Upvotes: 1
Views: 1892
Answers (2)
Reputation: 943
If your text is not being decoded you may use jQuery
$("<div/>").html(yourString).text();
Upvotes: 0
Reputation: 13837
Just show the text. Don't decode it. Let the browser do that for you.
<script>alert(1)</script>
See also this answer regarding other types of XSS vulnerabilities that html encoding doesn't protect you from: https://stackoverflow.com/a/70222/69527
Upvotes: 1
Related Questions
- How to use Server.htmlEncode / Server.htmlDecode without compromising security?
- How can I use the HtmlEncode (or HtmlDecode) function in Visual Studio (vb.net)?
- How to HTML encode en dash in vb.net?
- No luck with HTML decoding based on safe HTML tags (vb.net or c#)
- ASP.net insert html encoded code into page
- To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)
- How to stop automatic HTML Encoding when assigning to HTML Input Fields VB.NET
- How to encode and only encode html special characters in a URL in vb.net
- XSS mitigation in HTML/VBScript/Classic ASP
- .Net function to replace/encode&decode HTML characters in string