tags:

views:

87

answers:

4
Q: 

HTML Encoding Server side vs Client side

I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.

What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?

+4  A: 

If you mean sanitizing the user input, the only place you can do that safely is server-side. You can't be sure that anything has been done client-side, it's too easy to bypass client-side code.

It's like data validation: It's nice to do data validation (making sure key fields of a form are filled in with valid values, for instance) on the client because the immediate feedback makes for a good user experience, but doing so is not a substitute for doing it on the server, because it's trivially easy to bypass the client-side validation.

But with sanitizing input, you don't even want to try to do that client-side; assume it's un-sanitized and sanitize it on the server.

In ASP.Net, if the input you're sanitizing is a string you're later going to display in an HTML page and you want to ensure that it doesn't contain HTML tags of its own, you can use HttpServerUtility.HtmlEncode to encode the string (basically, turning < into &lt; and such).

T.J. Crowder  2010-06-14 11:12:49
So, if I use TinyMCE editor on my page that does it's own encoding, it's not enough ans i must do my own encoding on server side?
shivesh  2010-06-14 16:43:17
@shivesh: Right, it's not enough. You cannot trust that *any* client-side processing has been done at all. It's trivially easy to send a request to your server with unencoded data, bypassing all of your client-side stuff, in an attempt to hack your site. You have to treat all inbound data as suspect. If the data is supposed to be encoded already, you might use the fact that it isn't to flag up inappropriate activity on the account in question, although I'm a bit surprised (not having used it) that TinyMCE encodes things before sending them to you. Normal input controls don't.
T.J. Crowder  2010-06-15 05:59:49
Can you recommend some library for server side checking? The content of tinymce has rich html so it will be complex to create something that is perfect from scratch.
shivesh  2010-06-15 06:36:13
@shivesh: I've updated the answer to point you to `HttpServerUtility.HtmlEncode`, but if you want to allow *some* HTML and not *other* HTML (which I'm guessing you probably do, if you're using TinyMCE), then I don't have a recommendation for you I'm afraid.
T.J. Crowder  2010-06-15 07:35:04
I know about HttpServerUtility.HtmlEncode I used it for simple input text box, but it's not good for this case.
shivesh  2010-06-15 08:16:28
+1  A: 

Without a doubt, definitely server side. However, I would encode the input before output to the browser instead of before input to the database.

If you are using ASP .NET MVC you can use the helper method.

<%= Html.Encode("user comment with html in it <script>alert('bad')</script>") %>

If you are using ASP .NET (webforms or MVC) in the NET 4 framework, you can use the new syntax.

<%: "user comment with html in it <script>alert('bad')</script>" %>
Nate Pinchot  2010-06-14 11:13:28
You suggest I should store data in database as is?
shivesh  2010-06-14 11:16:38
Yes, the reason being, if you sanitize the input before storing it in the database, if it is sanitized wrong then the original user input is lost and you can't go back and fix it. In addition, say you, for example, want to output the comment to a reporting component which allows and understands HTML - here you would need the unsanitized input, but if you encode before inserting to the database, you won't have it.
Nate Pinchot  2010-06-14 11:19:58
+1  A: 

Surely you should go with server side.

If you do it with client side, Users can easily get the encryption what you are using.

If it is a server side.It should be more secure.

anishmarokey  2010-06-14 11:15:35
A: 

A way to do it is to keep your page in UTF-8 for whatever users may be entering with 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

in the header of output and keep the database in unicode as well. You can never be sure what users are going to input.

Every database stack also delivers the means to escape possibly malicious content, e.g. mysql_real_escape_string MySQL function in PHP.

Ain  2010-06-14 11:20:23

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps