Last post Jul 10, 2012 11:13 AM by mattcase
Jul 10, 2012 10:54 AM|mattcase|LINK
How important is it to use HttpUtility.HtmlEncode() for entries like Name, Address, Phone, Email, etc. textboxes? I want to make my application very secure, but I don't want to spend a lot of time doing things that are not that important.
Jul 10, 2012 11:02 AM|BrockAllen|LINK
Security is hard because the defender has to protect every way in. The attacker has it easy because they only have to find one weakness.
The basic issue is untrusted input. If the user is entering the data it's untrusted and it needs to be encoded. Also, if the value is coming from the database -- is that trusted data? Who entered it and was it scrubbed before persisting to the database?
If tha value is coming from the config file -- is that trusted? What about the returned data from a web service call -- is that trusted?
If you're in Razor then you automatically get HtmlEncoding. If you're in WebForms then you can use the
<%: foo %> syntaxt to make it easier to get encoding (less typing).
Jul 10, 2012 11:04 AM|BrockAllen|LINK
Oh I was going to also mention -- the AntiXSS/WPL library on codeplex -- they have a Sanitizie API to clean data before you store it to the DB. This is a nice extra layer of protection.
Jul 10, 2012 11:13 AM|mattcase|LINK
Excellent! Thanks for your reply and the great advice; it lines up exactly with other articles I have been reading.