How to Html.Encode in webforms

Question

I have an ASP.NET Web Forms application. There is a page with TextBoxes and users enter search terms into these which are used to query the database.

I know that I need to prevent JavaScript injection attacks. How do I do this?

In MVC I would use Html.Encode. It doesn't seem to be recognized in Web Forms.

Thanks!

score 22 · Accepted Answer · edited Sep 12 '16 at 21:15

22

You can use HttpUtility.HtmlEncode

edited Sep 12 '16 at 21:15

Stacked

6,892
7
57
73

answered Oct 25 '10 at 21:22

Badaro

3,460
1
19
18

score 13 · Answer 2 · answered Mar 07 '17 at 19:41

If you are on ASP.NET 4 or newer, you can use this syntax:

<%: Model.Username %>

Which will HTML-encode the expression. Scott Gu explains the benefit of this syntax:

We chose the <%: %> syntax so that it would be easy to quickly replace existing instances of <%= %> code blocks. It also enables you to easily search your code-base for <%= %> elements to find and verify any cases where you are not using HTML encoding within your application to ensure that you have the correct behavior.

Not available at the time, but this should really be the accepted answer, unfortunately MrCricket is long gone. — jmoreno, Mar 17 '22 at 17:45

score 7 · Answer 3 · answered Oct 25 '10 at 21:23

7

On webforms you can call

HttpUtility.HtmlEncode(foo);

Be careful to not double encode.

answered Oct 25 '10 at 21:23

Diego

19,494
4
32
46

+1 for 'careful to not double encode'. 1st encode => [<test>], 2nd encode => [<test>] – Stacked Sep 12 '16 at 20:50
I prefer triple encoding; `[&lt;test&gt;]`. – Mikael Dúi Bolinder Jan 07 '19 at 16:40

score 3 · Answer 4 · edited Oct 31 '21 at 18:38

3

You can use Server.HtmlEncode (which translates to HttpServerUtility.HtmlEncode) , but Microsoft has a better web protection library called AntiXSS that you can download from CodePlex. It includes a utility that uses a white-list approach to HtmlEncoding (much safer and better, and recommended by OWASP although they point to an older version). It also has tools that allow you to get safe HTML fragments, etc.

If you look at nothing else, however, take a look at the OWASP top 10. It sounds like you're just scratching the surface of web app security, and this is the best resource out there. Cross-Site Scripting attacks are just one of a whole slew of things you need to defend against.

It's also the one you will need to conform to if you have to deal with any sort of compliance (PCI, Red flag, etc)

edited Oct 31 '21 at 18:38

Glorfindel

21,988
13
81
109

answered Oct 25 '10 at 21:22

David

72,686
18
132
173

I'm sorry, but anti-XSS input filtering is seriously not at all a substitute for HTML-encoding plain text at the output-to-HTML stage. All anti-XSS tools are fragile, mangle valid input and incomplete: at best a sticking plaster for poorly-written apps with HTML-escaping issues and not a cure that actually addresses the problem. – bobince Oct 25 '10 at 21:56
(Sorry for the -ve, but it's a serious problem with naïve webapp authors that they're sticking together various forms of output from text strings with no HTML-escaping, JSON-encoding, URL-encoding or whatever other type of context-sensitive-encoding is required for the particular task. Then they expect an input-filtering anti-XSS layer to somehow fix it all up. This is doing no more than brushing the problems under the rug.) – bobince Oct 25 '10 at 21:59
Agreed that he should not be filtering at the input stage but should be filtering at the output stage. 100% accurate. The OWASP guide that I linked to covers this. I merely suggest that the AntiXss library, with the whitelist validation, does a better job at this than the Server.HtmlEncode. I also agree that naive web app authors don't do security properly. This is also why I pointed him to the OWASP top 10 and my answer included "You're barely scratching the surface". But, fair point, and thanks for the feedback! – David Oct 25 '10 at 22:01
Yeah, the OWASP guide, especially the “You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into” section, is spot on. And ah, yeah, if you're talking about the escaping functions in AntiXSS, I suppose they're fine; I'll take back the -ve (though for me it's not clear what they really offer over .NET's existing escaping functions). It's the other automated nonsense in the library I take exception to. – bobince Oct 25 '10 at 22:16

score 0 · Answer 5 · edited Nov 02 '21 at 13:53

0

In .NET v4.0 and above, you can use the following on Web Forms:

<%
   string notificationIcon = "<i class='fa fa-plus fa-icon fa-stack-right-top'></i>";
%>
<%: new HtmlString(notificationIcon) %>

Microsoft Docs

edited Nov 02 '21 at 13:53

codesnerd

767
2
8
23

answered May 15 '19 at 15:32

Ravi Selvaraj

547
6
12

By using new HtmlString, you actually undo the intention of <%: because HtmlString specifically says, what's inside here is good to go, doesn't need to be encoded. `<%: new HtmlString(x) %>` is the same as `<%= x %>`. See default.kramer's answer below for the proper syntax. – Chris Moschini Apr 21 '20 at 15:37

How to Html.Encode in webforms

5 Answers5

Linked