Security :: Mitigate The XSS / HTMLEncode And HTMLDecode?

Oct 6, 2010

Trying to protect against XSS on a CMS I'm working and I therefore encode all necessary client input but on retrieval from DB, I'm getting all these funny HTML characters displayed on the HTML Page as a result of the encoding.

I'm considering appending a decode on retrieval but I'm wondering what the point of the inital encoding is if I decode eventually.

Please how do I effectively mitigate the XSS issue using the encode/decode avenue.

View 3 Replies


Similar Messages:

C# - HTMLencode HTMLdecode?

Apr 16, 2010

I have a text area and I want to store the text entered by user in database with html formatting like paragraph break, numbered list. I am using HTMLencode and HTMLdecode for this.Sample of my code is like this:

string str1 = Server.HtmlEncode(TextBox1.Text);
Response.Write(Server.HtmlDecode(str1));

If user entered text with 2 paragraphs, str1 shows characters between paragraphs. but when it writes it to screen, just append 2nd paragraph with 1st. While I'm decoding it, why doesn't it print 2 paragraphs?

View 3 Replies

Web Forms :: HtmlEncode() And HtmlDecode() Not Working Correctly?

Dec 20, 2010

I have a url which I wish to encode that contains a couple of encrypted querystring parameters:

[URL]

I've been asked by a client I'm working with to html encode this url. I've used HttpUtility.HtmlEncode() to do this. This returned the following:

[URL]

This appears to be correct as the '&' has been replaced with '&'. However a problem arises when I try to use HttpUtility.HtmlDecode() on this new value as I get the following returned:

[URL]

What appears to have occurred is the '&' has had the 'amp' removed and the ';' has been html encoded (I checked the value of '%3b' and it corresponds with the html encoded value of a semi-colon). I'm not sure why this is happening?

I realise I could manually do a .Replace("%3b", "") as a temporary fix but I can't see this being a good long-term solution.

View 4 Replies

C# - What Is The Difference Between HttpUtility.HtmlEncode And Server.HTMLEncode

Dec 7, 2010

What is the difference between HttpUtility.HtmlEncode and Server.HTMLEncode in c#

View 1 Replies

Security :: Store Some Data Into Sql Using Server.HtmlEncode

Mar 25, 2011

I would like to ask when im trying to store some data into sql using Server.HtmlEncode Could i use code behind for example like this ?

[code]....

View 3 Replies

How To Mitigate XSRF For MVC Ajax.ActionLink Requests

Jan 2, 2010

I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET.

My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete user data from another site. This ActionLink does appear within a form that includes <%= Html.AntiForgeryToken() %> but since ActionLinks don't post the form, the anti-forgery token doesn't go to the controller, so it can't validate it.

View 2 Replies

HTMLDecode In A Object DataSource?

Jun 3, 2010

I have written a tiered application for a mate of mine to store and manage his massive CD collection. When I save the Album name I HTMLEnchode the input. I then use a drop down list on another page that pulls back all the Albums liked to a Specific artist but when i get the data back from my Object data source the data is still enchoded. At what point do i need to decode the data? Is it right at the begining in the DAL or in the actual drop down list.

View 3 Replies

C# - HttpUtility.HtmlDecode Not Decoding Spaces?

Mar 31, 2011

I have this string test = HttpUtility.HtmlDecode("http://test.com/Folder1/Folder2/my%20view.aspx");When I look into test it still has %20 instead of a space. Why is it not decoding this?

View 2 Replies

HttpUtility.HtmlDecode Cannot Decode ASCII Greater Than 127?

Oct 22, 2010

I have a list of character that display fine in WebBrowser in the form of encoded characters such as &#65533; ... But when posting these characters onto server to I realized that HttpUtility.HtmlDecode cannot convert them to characters as browser did, they all become space.

text = System.Web.HttpUtility.HtmlDecode("");

I expect it to return € but it return space instead. The same thing happen for some other characters as well.

View 2 Replies

Web Forms :: HttpUtility.HtmlDecode = True In Webconfig?

Jul 7, 2010

is there any way to add HttpUtility.HtmlDecode = true in webconfig.i have 1000's of textboxes. i cannot add this all of them.

View 2 Replies

Access :: Server.HtmlDecode The Right Tool / Preserve The Line Breaks Od Course?

Oct 29, 2010

This stems from a recent similiar issue: I have since add edit capabilities.My access db is made up of imported records from recipes. In the memo fields are paragraphs users have typed replete with ingredients listed in succession (1 per line) then a normal paragraph follows. When in editmode(multi line textbox), suddenly in each line ends with <br>. How to fix this? I want to preserve the line breaks od course.

View 2 Replies

AJAX :: Server.HTMLDecode Works But Modal Popup Doesn't Close

Oct 19, 2010

As the title of this post already mentioned, I'm using a modal popup window to edit rows in the gridview. One column in the gridview contains an URL code. When I fire the edit button a popup opens and show the URL in a textbox in this format: [URL]

When I am using the Server.HTMLDecode function, the modal popup doesn't close anymore.

I am using the following code:

[Code]....

The funny thing is, when I change it to: txtURL.Text = row.Cells[3].Text; then I can close the modal popup, but unfortunately it is not decoded.

View 3 Replies

How To Pass Value Into Linkbutton Using HtmlEncode

Apr 14, 2010

how to pass value into linkbutton using HttpUtility.HtmlEncode?

when user click on Pass, i need to pass the value in UrlVaule to another page for some process.

my code as below but it cant work?

<asp:LinkButton
ID="lnkPassValue"
runat="server">Pass</asp:LinkButton>
lnkPassValue.Text = string.FormatlnkPassValue.Text, HttpUtility.HtmlEncode(UrlVaule));

View 3 Replies

C# - Htmlencode() For A Specific Tags Only?

Aug 20, 2010

i have a long string dat can contain html tags. applying htmlencode will encode all the tags. but i want this method to leave some specific tags intact

View 3 Replies

HTMLEncode On A Class Module /looking For Server

Jan 21, 2010

I put this code Server.HTMLEncode on a class module, and I cant fint the IMPORTS class for it??

Where is it for Server. ???

View 2 Replies

Web Forms :: Server.HtmlEncode To All Controls?

Sep 23, 2010

I have used Server.HtmlEncode(MY TEXT) to display data,

I have setted the page property validateRequest="false" in .config file,

all this is working fine.since I have large application using hundreds of labels and text boxes to show data,

so, now it is almost impossible ( time consuming ) for me to place Server.HtmlEncode(MY TEXT) every where while setting data to them e.g. in label.text, textbox.text, etc

is there is any way to set the property some where and all the labels and text boxes automatically use Server.HtmlEncode() when i set there text

View 1 Replies

How To Use Server.HtmlEncode In Class Project In C#

Jun 14, 2010

how can I use this in class project c#

Server.HtmlEncode ?

View 1 Replies

C# - How To Apply Server.HtmlEncode For Every TextBox In A Page

Nov 26, 2010

I have many TextBox in a page.I would like to know if there is a ways to check pro grammatically all input for this TextBox and

apply Server.HtmlEncode to each one.

So I do not need apply Server.HtmlEncode for every single String.

View 4 Replies

Use HtmlEncode In Details View TemplateItem Control?

Jul 29, 2010

I have details view control in my asp.net web form, which on of its item template gets it is value from database, and show this into a richtextbox :

<FTB:FreeTextBox id="txtDescription" runat="Server" AllowHtmlMode="false" Text='<%# (Eval("Description") )%>'
>
</FTB:FreeTextBox>

but when i click on insert or update button, i get the following error :

A potentially dangerous Request.Form value was detected from the client ....

i tried this :

Text='<%# HttpUtility.HtmlDecode((string)Eval("Description"))%>'

bu it did not work ethier, and i got the error again. is there any way except turning validateRequest off.

View 1 Replies

Forms Data Controls :: HTMLEncode In A Repeater?

Mar 6, 2011

I am using a nested repeater to display users popsts and replies to the posts. The posts can be two different types, just a comment, or a comment with statistics. To display the stats column, I am building the data in the SQL like:

[Code]....

This displays Ride Time as HH:MM. I am bolding the header (RT) with the <strong> embedded in theSQL. If I bind the result into a gridview, where I can turn the HTML Encode property = false, the RT is bolded. Is there a way to accomplish this in a repeater?

View 1 Replies

Allow Japanese Characters To Bypass C#s HtmlEncode Method?

Apr 4, 2011

I need to scrub data for malicious content in a form (whose website is UTF-8 encoded) so I'm doing the following:

myTextBox.Value = System.Web.HttpUtility.HtmlEncode(value); where value is the data to be placed in the TextBox.This does correctly scrub malicious data such as Javascript calls, but also turns Japanese characters into their UTF-8 equivalents, such as &#24859;

Is there a way to skip those characters from being encoded, like some sort of range?

View 1 Replies

Web Forms :: Are Server.Htmlencode,Urlencode Useless Functions!

Feb 2, 2010

For protect against XSS we should make all input from textboxes thoht Server.Htmlencode function.

1) If i let a input go thorgh Server.Htmlencode and save it in database. But what happen if i letter show this input data from database on browerser ...if database input data have <script> it will then make Xss!!!!.

2) I use Server.Htmlencode.. and the user write <b>ss<b>... (label.text = userinput.text;) and i WANT to show ss in browser. What shuld i do for make this happen ??

View 4 Replies

Mock Server.HtmlEncode - Returns Null Reference?

Nov 16, 2010

I'm trying to mock Server.HtmlEncode(), but I keep having a null reference exception.I'm pretty new to the Moq framework, here is my code:

var context = new Mock<HttpContextBase>();
var request = new Mock<HttpRequestBase>();
var response = new Mock<HttpResponseBase>();
var session = new Mock<HttpSessionStateBase>();
var server = new Mock<HttpServerUtilityBase>();
server.Setup(svr => svr.HtmlEncode(It.IsAny<string>())).Returns((string s) => s);
context.Setup(ctx => ctx.Request).Returns(request.Object);
context.Setup(ctx => ctx.Response).Returns(response.Object);
context.Setup(ctx => ctx.Session).Returns(session.Object);
context.Setup(ctx => ctx.Server).Returns(server.Object);

I've also tried the following:

context.Setup(ctx => ctx.Server.HtmlEncode(It.IsAny<string>())).Returns((string s) => s);

I've found a solution but it seems an outdated solution as expect is replaced with setup.

View 2 Replies

Forms Data Controls :: Using Htmlencode On Detailsview And Gridview?

Feb 1, 2010

We are using gridview to display data and detailsview to show details, update, insert, and delete as needed. I am a bit confused on whether or not htmlencode and htmldecode is needed when storing data from detailsview. Gridviews always use boundfields and I think encoding and decoding is built in. For detailsview we use mostly templatefields (eval(), bind()), some boundfields, and some data is stored in codebehind using e.values[] or e.newvalues[].Here is where I've got the idea:http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.detailsview.itemupdated.aspxIf I use the iteration and htmlencode, detailsview read only mode displays decoded data. However, gridview displays encoded data and of course update mode of detailsview. So, it seems like detailsview using htmlencode and htmldecode somewhat, but I am not clear as to what degree and what would be the best way to handle it.

View 2 Replies

4.0 Framework Request Validation Will Not Allow Code-behind To Htmlencode Textboxes?

Jan 8, 2011

I have a form that I have been getting submissions that have punctuation and special characters that trigger the potentially dangerous Request.Form value error. I have been trying use the httpUtility.htmlencode and Server.htmlencode method to sanitize textboxes and textareas.All my tests do not fire because the built-in request validation of the 4.0 framework prevents the code-behind from executing to perform the sanitization. I have included the ValidateRequest in the page header but no matter what I set it too it still does the same thing.

This is the code I have so far.

Session("RequestID") = Server.HtmlEncode(txtRequestID.Value)
Session("FirstName") = Server.HtmlEncode(txtInstFirstName.Text)
Session("LastName") = Server.HtmlEncode(txtInstLastName.Text) [code]....

What can I do to make this work? According to all the websites I have visited it should work.

View 3 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved