URI encode and HTML encode

tags:

views:

72

answers:

2

Q:

URI encode and HTML encode

If I have the xml/html data to post we need to encode the data to avoid the XSS validation. So should we use HTMLencode or URI encoding for this.

If URI encoding is used will it cause issues as form POST automatically URI encode all the data before sending.

+1 A:

XSS is a problem caused by giving tainted data to the client. It can't be solved at the point where data is posted.

To protect against it, HTML encode the data (immediately) before placing it in an HTML document.

David Dorward 2010-03-24 07:25:19

Thanks david, and what about uri encode ? is it ok to use it instead of HTML encode ? i mean uri encode data and then placed in the forms hidden element and decode on the server end ?

Anil Namde 2010-03-24 08:08:56

That just renders it hard to read. Use HTML encoding for putting things in HTML.

David Dorward 2010-03-24 11:26:13

+1 A:

Remember: filter input, escape output.

Always filter input before placing it in a database (to avoid SQL injection etc)
Escape output before sending it to the client by filtering / encoding any HTML in the dynamic content.

Mathias Bynens 2010-03-24 07:28:53

Umm - to avoid SQL injection, you escape the data for your database.

David Dorward 2010-03-24 07:34:48

@David: That’s right. What’s your point? Should I have said “escape input, escape output” instead?

Mathias Bynens 2010-03-24 08:52:53

Filter (especially when you put it next to escaping) suggests removing things from data rather than replacing them with safe equivalents. You use filtering to, for instance, stop spam being inserted into the database.

David Dorward 2010-03-24 11:28:05

ansaurus

tags:

views:

answers:

URI encode and HTML encode

related questions