2

Is it a good practice to use html.encode before passing the query string parameters to the business layer? The scenario is with respect to asp.net framework, and I am wondering if I must encode the contents of query string or not before reading the values from the keys?

I know we can always convert the contents to expected data type, but my question is from a designs perspective.

Thanks!

fooMyFavoriteVariable
  • 21
  • 2
  • I'm not sure where do you try to enocde parameters. If you are not using `Request.RawUrl` parameters should be nicely decoded in QueryString, or even better in ASP.Net MVC action parameters... Or you are talking about some additional encoding on client side? – Alexei Levenkov Apr 18 '13 at 01:50
  • I am talking about this www.foo.com?number=abc. To validate that the content of number key is abc and not 10000, the best practice is to trust Request.QueryString["number"] value or additionally use html.encode, before using in code behind. – fooMyFavoriteVariable Apr 18 '13 at 02:16
  • `Request.QueryString["number"]` is the value server side supposed to see - it is decoded once (as it comes encoded in the raw url). I see no value in encoding it (additional encoding may even make the value unusable). I suspect you confuse it with need to properly encode values when writing HTML... – Alexei Levenkov Apr 18 '13 at 03:53

1 Answers1

2

I would say yes. At the very least you want to because the browser may get the encodings wrong. One symbol might show up as another, or as and unknown character. It may even mix-up with the preceding character if the browser will get it wrong.

More complex reasons include it helps prevent against HTML injection.

The short explanation of why you need to use HTML encoding is simply that a certain set of characters mean something special in HTML and encoding will help with symbols such as carets and ampersands gracefully across all browsers.

Timothy Randall
  • 17,634
  • 1
  • 15
  • 27