Reputation:
HTML encoding for Textbox in asp.net for security
I have 2 fields a label and a Textbox.
Q1. HTML encoding should be done while saving data into database or while displaying in the aspx page?
Q2. HTML encoded label text is displayed properly in browser like as asd < pqr But in textbox it is showing ascii value of < sign.
As textboxes in asp.net are already encoded by default, should we decode it before displaying on page?
Q3.If Textbox value is decoded while displaying then what is security impact?
Q4. If I have two way binded Textbox in edittemplateitem.how to decode it's value while displaying.
Upvotes: 1
Views: 721
Answers (1)
Reputation: 24071
Escaping should be done as late as possible and for a given target system, this in contrast to validating, which should be done as soon as possible. Applied to your questions this would mean:
Q1: The input should not be escaped (HTML encoding) when inserting into the database, instead keep the original text. Only when displaying the text on an HTML form, should the escaping be done. To mitigate SQL-injection use prepared statements, or do an escaping for SQL, not for HTML.
Q2: Because we did not escape the text prematurely, ASP can do the escaping of the original text and no ascii codes will appear.
Q3: No decoding necessary, because we still have the original text.
Q4: As far as I know, ASP should handle this for you, your application should only have to work with the original text and can leave HTML escaping to the framework.
Upvotes: 2
Related Questions
- How to Html.Encode in webforms
- Html encoding with TextBoxFor MVC 4
- HTML Encoding with ASP.NET
- Html encoding in MVC input
- Html Encode in ASP.NET Web Control
- How to disable the Textbox's HTML encoding in ASP.Net?
- Encode/Decode a TextBox
- How do I keep an ASP.NET TextBox from HTML-encoding its content?
- How to use Encode with html textbox
- Safe HTML in ASP.NET Controls