tags:

views:

31

answers:

1
Q: 

outputting html in runtime in asp.net

Hi all,

I'm building a website at the moment, I've some html fragment that is being stored into the database, I've been reading around that inserting HTML at runtime poses security risks by using the InnerHTML property of any html tag with runat server on it.

So, my question is there any alternative way to safely display the html code and won't pose security risks and is it best to assume any textboxes on any given page is dangerous and process the text in the textboxes with Server.HtmlEncode before I store it to database?

Cheers

A: 

You should always HtmlEncode any user generated data before you display it (to avoid XSS attacks).

In asp.net 4.0 they have a new server side output tag to automatically encode data:

<%: "text to encode"%>

This is instead of:

<%= "text that will not be encoded"%>

Which is still around for backwards compatibility.

Oded  2010-04-24 12:45:35
If I use the HtmlEncode method, it would render my html code as text, I need to actually show that html code like if it was written in the html page
madness800  2010-04-24 12:53:10
@madness800 - Then you can't use encoding in this way. You may need to sanitize the HTML, if it is content provided by users. Look at the anti-xss library from microsoft - http://msdn.microsoft.com/en-us/library/aa973813.aspx
Oded  2010-04-24 12:56:17

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?