Tuesday, June 12, 2007

ASP.NET Html Encoding

So have you ever had an ASP.NET application where you placed a couple of TextBox’s on but soon realized that when you entered in something like ‘1 is < 2’ or even more blunt and to the point “<div> hello </div><script type=’text/javascript’>alert(‘something bad’)</script>” and when you performed a post back you would get a nice little error from the server? Well if you haven’t had this happen you may experience this some time in the future so hopefully you’ll remember this bit of info and you wont be left scratching you head.

So this is actually a feature. I mean if you mistakenly forgot to verify some user input you might end up with some nice html injections on your site, and no-one wants those right. So this will display an error (not just a little ‘hello here I am now you can move on’ error, but an error that you probably don’t want people seeing either). So if you want to handle on your own you can disable the error that gets displayed by adding this little bit of text to your page directive (you can also add a setting to the web.config to make a system wide change, but I don’t think it’s recommended since you may overlook a place where they’re not being handled)


Now you’ll no longer get the errors. But now what? How are you going to handle these potential pests? Another little built in feature is the HTML encode/decode functions of the HttpServerUtility class. You might quickly find out though that this is a sealed class with no available constructors so there’s no making your own instance of this class. This class is however available to your Pages through the Server object (Server.HtmlEncode / Server.HtmlDecode). So now when someone sends in ‘<div>hello’ you can handle this by passing the text into the HtmlEncode(string) method and you’ll get back the encoded text ‘&ltdiv&gthello’ and if you want to update your text-box with the newly added info you can simply make a call to HtmlDecode(string) and get back ‘<div>hello’.

No comments: