AntiXss.UrlEncode Vs. AntiXss.HtmlAttributeEncode Usage In Link (a Href)?
Aug 26, 2010
According to old AntiXss article on MSDN AntiXss.UrlEncode is used to encode link href (Untrusted-input in the following example):[URL]My understanding was, that UrlEncode should be used only when setting something to URL, like when setting document.location with JS. So why don't I use HtmlAttributeEncode in the previous example to encode [Untrusted-input]? On the other hand is there a security flaw if I use UrlEncode to encode HTML attributes like in the above sample?
When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing?Also, in the Anti XSS library, where do I specify the whitelist?
I have saved all data that comes through Input boxes using AntiXss.HtmlEncode(the text from in put box); Now all texts in my databse are HtmlEncoded So now i want to show them in text boxesSo iave to decode that ? How can i decode a text that is encoded using AntiXss
I want to include Microsoft AntiXss V1.5 library on my live site running in a medium trust setting.However, I got an error something like:Required permissions cannot be acquired.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Policy.PolicyException: Required permissions cannot be acquired.I tried this in full trust setting on my development machine and everything works good.Looks like this will run only in full trust configuration.
have an application in which we are sending mail to client when they register for newsletter to the clients mail id.in that mail we are sending one link which sholud open in a new window on click of the link.The link is working fine in gmail and hotmail, the link is not working in yahooo web mails.
build a shopping site. i have in my menu a link to upload products.i need to disable this link,for thos are not login to the tite. that members only can use this link.the visitors will see or not see the link its dosnt metter to me. but wont be able to click him?
My client wants to pass values through the query string, but they don't want the query string to be displayed in the browser's address bar. The values being passed are for tracking purposes. I know that postback doesn't happen after you click on href link.Is there any way I can get the value out of the query string without displaying it in the browser's address bar? I think this may be impossible, but I may be wrong; I'm hoping to see if anyone has any answers.
I have href links inside a datalist and want to make sure that the top link is clicked by default. The reason for this is that the href inside the datalist will show a different friendly url each time one is selected and also fill a seperate detailsview with data based on values from the query string. I want the user to see the friendly url and first lot of data once he navigates to a page is this possible ?.
<ul class="menu"> <li class="first" runat="server" id="Li2"> <a runat="server" id="A1" href="../NewEntry.aspx">Create a New Entry</a> </li> </ul> when i go to content page ("NewEntry.aspx") i want the link name to be changed to "Update Entry" <ul class="menu"> <li class="first" runat="server" id="Li2"> <a runat="server" id="A1" href="../UpdateEntry.aspx">Update Entry</a> </li> </ul>
i have a requirement to encode the url in javascript and in redirected page i can't use javascript so i must decode the url back in code. so i needs a javascript encode method which encodes url like URLEncode method of asp.net so that i can decode it in code with UrlDecode method
I have spent quite a bit of time researching this here on Asp.Net's Forums, but also on the web in general, and I am still drawing a blank.
The problem: I am trying pass a values such as ... "Jacob's Carpentry" as a query string to another page. However, the other pages keeps seeing "Jacob\s Carpentry".
What I have tried: I have tried using both the Server.UrlEncode and HttpUtility.UrlEncode, and neither have worked. I have also tried using them twice as was suggested in this article, but still with no luck. Finally, I went so far as to try and encode the string, but then do a String.Replace on the " ' " apostrophe and substitute with a "%27". This also did not work, as it appeared that the String.Replace wiped out the encoding.
So I am stuck/lost. It appears the standard PHP functions easily encode the apostrophe, but for some reason the .Net function isn't working.
Here is the code I am using ...
[Code]....
I notice, however, then if I put a breakpoint where the PostBackUrl is set, the encoded string is still only showing "Jacob's+Carpentry", no %27.
Cat.net is nabbing the following code, but I tried to use UrlEncode, but I am getting a http 400 bad requestencodedLink = Default2.aspx%3freturnURL%3d~%2fDefault.aspx
So I have a Hyperlink called lnkTwitter:And I'm trying to set the url in the code behind:lnkTwitter.NavigateUrl = string.Format("http://www.twitter.com/home?status={0}", Server.UrlEncode("I'm Steven"));When I do that and hover over the link, the url displays correctly in the status bar as "http://www.twitter.com/home?status=I'm+Steven", but the actual url, if I click on the link or look at the link's properties, is "http://www.twitter.com/home?status=I%27m+Steven".For some reason, this only happens in Firefox; in IE, I am taken to the correct url.
What is the best way to encode the url in Hyperlink without writing code behind. I have many uses and I would like to do it in the Hyperlink statemeent if possible. Some thing such as the following would be great: (This does not work)
For protect against XSS we should make all input from textboxes thoht Server.Htmlencode function.
1) If i let a input go thorgh Server.Htmlencode and save it in database. But what happen if i letter show this input data from database on browerser ...if database input data have <script> it will then make Xss!!!!.
2) I use Server.Htmlencode.. and the user write <b>ss<b>... (label.text = userinput.text;) and i WANT to show ss in browser. What shuld i do for make this happen ??
