Displaying HTML and other code in a Textarea in ASP.NET

Question

I've got an application where users can store snippets of HTML and ASP code in a database. The trouble is, when i dynamically populate the textarea control, all the various characters that can be in an HTML snippet will cause the page to not render properly.

Can someone point me to a guideline/how-to on stripping out / replacing various characters before outputting to the browser?

Do I strip out the angle brackets and replace with a stand-in character? Do i force my users to enter < and > instead of angle brackets? Or is there a much easier way of doing this?

Answer 1

You can easily encode HTML before you output it to the screen by using the HttpUtility.

Answer 2

A good habit to be in is to use HTMLEncode and HTMLDecode from the Server.httpUtility class.

Simply replacing < and > or manually parsing out html can be troublesome and you may not quite "get it all".

By always calling HTMLEncode and HTMLDecode on any user input or text written to the screen, you greatly reduce the risk of Cross-site scripting and other common web vulnerabilities (like SQL injection). It should never be used as the only security/sanitation mechanism, but it is easy and effective to implement.