I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.
What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?
I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.
What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?
If you mean sanitizing the user input, the only place you can do that safely is server-side. You can't be sure that anything has been done client-side, it's too easy to bypass client-side code.
It's like data validation: It's nice to do data validation (making sure key fields of a form are filled in with valid values, for instance) on the client because the immediate feedback makes for a good user experience, but doing so is not a substitute for doing it on the server, because it's trivially easy to bypass the client-side validation.
But with sanitizing input, you don't even want to try to do that client-side; assume it's un-sanitized and sanitize it on the server.
In ASP.Net, if the input you're sanitizing is a string you're later going to display in an HTML page and you want to ensure that it doesn't contain HTML tags of its own, you can use HttpServerUtility.HtmlEncode
to encode the string (basically, turning <
into <
and such).
Without a doubt, definitely server side. However, I would encode the input before output to the browser instead of before input to the database.
If you are using ASP .NET MVC you can use the helper method.
<%= Html.Encode("user comment with html in it <script>alert('bad')</script>") %>
If you are using ASP .NET (webforms or MVC) in the NET 4 framework, you can use the new syntax.
<%: "user comment with html in it <script>alert('bad')</script>" %>
Surely you should go with server side
.
If you do it with client side, Users can easily get the encryption what you are using.
If it is a server side.It should be more secure.
A way to do it is to keep your page in UTF-8 for whatever users may be entering with
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
in the header of output and keep the database in unicode as well. You can never be sure what users are going to input.
Every database stack also delivers the means to escape possibly malicious content, e.g. mysql_real_escape_string
MySQL function in PHP.