Last post Nov 06, 2008 03:11 AM by TATWORTH
Nov 03, 2008 12:23 PM|desertfoxaz|LINK
I've seen a lot of recommendations to HTML encode any data that is written to the page, but does this apply to WebControls as well, or do they automatically do this for you? I know the GridView control automatically HtmlEncodes data unless you tell it not
to, but do other controls do this (e.g. a TextBox control) or should I explicitly do this myself?
I rarely write back anything to the screen after capturing it, but I do take data entered by the user, save it in a database or throw it to a web method, and will eventually display it when it's needed. We've taken precautions to prevent SQL injection (using
bind variables/parameterized queries), but I wonder if it's necessary to both encoding/decoding user entered-data. Each page's request validation is enabled and we have no reason to turn it off, and we use input masks and validators where appropriate to restrict
Nov 03, 2008 12:35 PM|shados|LINK
Unfortunately, the answer is "it depends". Labels by default do not. Literals have an option that toggles how they encode. Gridviews do by default (but you can toggle it off). Textboxes I don't remember if they do or not, I -think- yes.
So it is a case by case basis, unfortunately. Definately somewhere they could improve the behavior to make it more consistant. That said, the only time you need to HTMLEncode, is if the data came from an untrusted source (let say, a user can enter it, and
it is displayed elsewhere). It is just a safer bet to almost always do so. Remember untrusted source includes things like query strings and cookies.
If request validation is on (a lot of people turn it off since it basically causes the app to crash on an invalid input), you're more or less safe though.
Nov 04, 2008 11:28 AM|desertfoxaz|LINK
See this excellent article:
What's wrong with ASP.NET? HTML Encoding
Nov 06, 2008 03:11 AM|TATWORTH|LINK
>I do take data entered by the user
If this data is allowed to contain HTML tags, then I suggest you use the IsValidHtmlgragment to validate it. It uses a white list of acceptable HTML tags. It is part of the CommonData project at