I want the user to enter text and i would like to show the text back to the user and keep all the whitespaces. I dont want any exploits and have the user inject html or javascript. Is HttpUtility.HtmlEncode safe enough to use? ATM it looks correct since its properly encoding < > and other test letters. To display the the text back correctly what do i use? right now i am using <pre><code>. It looks alright, is this the correct way to display it?
Asked
Active
Viewed 1,049 times
3
-
Is your intent to echo back source code, or just user-supplied text in general? – Scott Mitchell Dec 18 '10 at 23:39
2 Answers
5
HtmlEncode should be secure as far as any HTML codes or JavaScript. Any HTML markup characters will be encoded so that they appear only as other characters when displayed on a web page.
Yes, if I wanted to keep formatting (including all spaces), I would use <pre>.
Jonathan Wood
- 65,341
- 71
- 269
- 466
-
HtmlEncode is secure. It will replace < > & " ' with the corresponding HTML escape sequence (i.e. < etc.), as well as replacing any multi byte characters with their numeric escaped representation (i.e. ☺) – Paul Wheeler Dec 18 '10 at 23:30
-
It does not replace multi-byte characters from what I can see from looking at the source code. Any character with an integer value ranging from 160 to 255 (inclusive) will be converted to a numeric escape sequence (i.e. ÿ); however, any character with a value larger than 255 or less than 160 (except for the five specifically mentioned characters < > & " ') is output as-is. Why it even bothers to escape 160-255 is a mystery (e.g. 160 is in smack in the middle of the extended ASCII range), since those are not reserved characters in HTML text anyway. – Triynko Aug 23 '11 at 20:11
1
You'll want to have a look at the GetSafeHTMLFragment method in the AntiXSS section of the Web Protection Library. This uses a whitelist of what HTML is considered 'safe' for XSS purposes, anything not in the whitelist is stripped out. Blowdart (who works on the WPL team) has a great blogpost on using the method.
Community
- 1
- 1
PhilPursglove
- 12,511
- 5
- 46
- 68
-
1+-0. Incorrect i am not trying to sanitizes html, just display the text again. So this answer is not right. But may be useful to others when reading – Dec 18 '10 at 23:39