0

I am having a very annoying issue that I so far don't know how to solve. I am building a website using ASP.NET MVC and C# which shows a table to the user. The data comes from a MS SQL database and I am using MVCGrid.net to create the table. Here is an example for a column that will be shown in the table:

cols.Add("note").WithHtmlEncoding(false)
     .WithValueExpression(i => i.Notice)
     .WithValueTemplate("{Value}<button class='btn btn-primary btn-block' data-target='#note-modal' data-record-id='{Model.ShipmentID}' data-note='{Value}' data-toggle='modal'><span class='glyphicon glyphicon-pencil'></span></button>")
     .WithSorting(true)
     .WithFiltering(true);

The problem: When i.Notice contains any characters that could potentially break the HTML syntax of my website, I do not know any way to prevent that from happening. I tried to use WebUtility.HtmlDecode() but that did not fix the problem. How can I make sure that no HTML injection or anything of that type happens on my website?

Chris
  • 1,417
  • 4
  • 21
  • 53
  • is i.Notice a string, or an object? – Isparia Nov 08 '19 at 11:46
  • @Isparia It is a string. – Chris Nov 08 '19 at 11:53
  • 2
    *how* did you use HtmlEncode? (note: Html**En**code, not Html**De**code) – Hans Kesting Nov 08 '19 at 12:21
  • And I just noticed `WithHtmlEncoding(false)` in your code - shouldn't that be "`true`"? (not knowing MVCGrid) – Hans Kesting Nov 08 '19 at 12:22
  • @HansKesting I know what you mean and no, it needs to be false. I don't understand why either. By the way, thanks for the hint with HtmlEncode instead of decode, I just realized that stupid mistake myself and it actually seems to work now! – Chris Nov 08 '19 at 12:34
  • 1
    That `WithHtmlEncoding` probably works on the *output* of `WithValueTemplate`, which needs to be HTML here. Glad that HtmlEncode (of `i.Notice`, I assume?) worked. – Hans Kesting Nov 08 '19 at 13:41

0 Answers0