c# - Using HttpUtility.HtmlEncode and handling special characters/umlaut etc -



c# - Using HttpUtility.HtmlEncode and handling special characters/umlaut etc -

i'm using httputility.htmlencode sanitise user input prevent against xss attacks. problem htmlencode converts special characters ü html equivalent code. can't find documentation , doesn't encode. in order display correctly user need htmldecode it.

2 questions:

how htmlencode decide needs encode supposedly valid character ü , not other unicode characters standard english language alphabet characters. htmlencode encode non ascii characters? best way prevent script tags allow special characters umlauts without creating special ignore list?

does using htmldecode expose risk converting potentially malicious javascript

htmlencode() 2 main things: it handles characters aren't part of default 127 ascii characterset. it encodes characters misinterpreted browser beingness valid html, css or javascript, prevent both accidental , intentional altering of webpage. is unsafe use? can unsafe use, depending on how utilize it. question not much "are decoding?" rather "are decoding user data?". can unsafe use, depending on result. displaying client can cause xss.

there far more told encoding , decoding can write in here, , people before me have explained far more exhaustive can. this article on preventing xss in asp.net can explain xss , how can prevent it.

c# asp.net utf-8 ascii html-encode

Comments

Post a Comment

Popular posts from this blog

php - How to pass multiple values from url -

php - How to pass multiple values from url - i'm trying pass textbox , 1 select result value 1 page page.using url.but it's display error message. "parse error: syntax error, unexpected '' (t_encapsed_and_whitespace), expecting identifier (t_string) or variable (t_variable) or number (t_num_string) in c:.." while($value= mysqli_fetch_assoc($result)){ $apid=$value['apid']; echo("<tr> <td>". $value['apid'] ."</td> <td>".$value['email']."</td> <td>".$value['comments']."</td> <td>".'<input type="text" name="payment"/>'."</td> <td>"."<input type='text' name='apid' value='".$apid."' style='visibility:hidden' size='2'>"."</a>"."<a hre...
Read more

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* -

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* - i've inherited doc publishing process takes docbook , builds html , pdf output, using apache fop both. project had been started, never completed. lots of tweaking, i've able of doc sets build (20+), except handful, , fail severe code 1 of these 2 conditions: "fo:flow" missing kid elements. required content model: marker* "fo:block" not valid kid of "fo:root" the xml output comes out of docbook , docbook-fop checks out well-formed. the fop error in 1 book, "endecagloss", example, points end of string: <fo:flow flow-name="xsl-region-body" start-indent="4pc" end-indent="0pt"/> here’s log output in case: [java] severe: javax.xml.transform.transformerexception: file:/scratch/publishing/hudson/jobs/build-main-endeca-documentation/workspace/serverdoc/w...
Read more

database - php search bar when I press submit with nothing in the search bar it shows all the data -

database - php search bar when I press submit with nothing in the search bar it shows all the data - the search fusion works correctly if press submit nil in search bar shows data. how message show saying nil has been entered search bar ?.i new php. <?php $mysql_host="host"; $mysql_database="database"; $mysql_user="username"; $mysql_password="password"; $dbconnect=@mysql_connect($mysql_host, $mysql_user, $mysql_password); // trys connect database if (!$dbconnect) { exit("an error has occurred - not connect database."); // if couldn't connect, allow user know } if(!mysql_select_db($mysql_database)) { exit("an error has occurred - not select database."); //if couldn't select db, allow user know } $output = ''; //collect if(isset($_post['search'])...
Read more