we have a forum site in which we want to allow our users to inject html content which should not be rendered on the site but it should just disply as a text on the page with tags.
Microsoft won't recommend it because, user's can inject malicious scripts. But if you know, it won't happen to ur site, you can go ahead and turn of the ValidationRequest.
Server.HtmlEncode() is awesome method, which prevents executing the scripts.
it means the user inputs will not be validated if the user enters malicious codes, for example - entering javascript. What I should do is, set validaterequest to false, so users can enter html on the forum but encode the html before entering it to database.
When retrieving the data, you should Decode the data using Server.HtmlDecode("html data").
1Plus1Is3
Member
5 Points
5 Posts
how to use Server.htmlEncode
May 20, 2011 08:25 AM|LINK
Hi,
we have a forum site in which we want to allow our users to inject html content which should not be rendered on the site but it should just disply as a text on the page with tags.
On the web every one is saying that turn off ValidateRequest flag and use htmlEncoding. i tried that and that works fine in my site. But msdn articale http://msdn.microsoft.com/en-us/library/a2a4yykt%28v=VS.90%29.aspx says that this is not recommended.
so
1. I want to know like what can be the recomended implementation of this feature
2. What are the impacts if I implement this with htmlEncode and ValidateRequest="False"
Thanks in advance
Dhaval Tawar
Participant
1462 Points
321 Posts
Re: how to use Server.htmlEncode
May 20, 2011 01:23 PM|LINK
Server.HtmlEncode("<script>"); will result <script>;
Actully when you allow use to add html code and you do not encode it. It will not show it as it is.
It will act as a part of your page html. That means that script will be executed if not encoded.
Dhaval Tawar
Please mark as answer if you find solution by this post
roopeshreddy
All-Star
20143 Points
3327 Posts
Re: how to use Server.htmlEncode
May 20, 2011 03:22 PM|LINK
Hi,
Microsoft won't recommend it because, user's can inject malicious scripts. But if you know, it won't happen to ur site, you can go ahead and turn of the ValidationRequest.
Server.HtmlEncode() is awesome method, which prevents executing the scripts.
Hope it helps u...
Roopesh Reddy C
Roopesh's Space
shahed.kazi
All-Star
17953 Points
3635 Posts
Re: how to use Server.htmlEncode
May 21, 2011 10:11 AM|LINK
it means the user inputs will not be validated if the user enters malicious codes, for example - entering javascript. What I should do is, set validaterequest to false, so users can enter html on the forum but encode the html before entering it to database. When retrieving the data, you should Decode the data using Server.HtmlDecode("html data").
.NET World |Captcha Control