tags:

views:

75

answers:

3
+1  Q: 

Do I need to html-encode title attributes (tooltips)?

In my markup I am using HTML title attributes which I set by the Tooltip property of various ASP.NET controls like an asp:Label. The content of those titles come from a database and I use data binding syntax, for instance:

<asp:Label ID="PersonLabel" runat="server" 
    Text='<%# HttpUtility.HtmlEncode(Eval("PersonShortName")) %>'
    ToolTip='<%# HttpUtility.HtmlEncode(Eval("PersonFullName")) %>' />

Now, tooltips seem to be displayed as plain text on Windows and in the browsers I have tested. So the HTML-encoding is not what I really want and I am inclined to remove the encoding.

Can this be dangerous in any way if the database fields may contain script tags for example? My question is basically: Is it always guaranteed that HTML-title attributes are displayed as plain text? Are they always displayed as tooltips at all, or is it possible that some browsers (or OSs) display them in another way and allow and render HTML content in the title attributes?

Edit:

Looking at some of the answers it seems I didn't phrase my question well, so here are some additions:

If I have in the code snippet above a PersonShortName of "PM" in my database and as the PersonFullName a name with non-ASCII characters in it like Umlauts in "Peter Müller" the browser displays in the tooltip Peter M&#252;ller when I apply HttpUtility.HtmlEncode like in the code example - which is ugly.

I've also tested a simple HTML fragment like:

<span title="<script>alert('Evil script')</script>" >Hello</span>

The script in the title attribute didn't run in a browser with enabled Javascript (tested with Firefox), instead it was displayed in the tooltip as plain text. Therefore my guess was that title attributes are always rendered as plain text.

But as Felipe Alsacreations answered below there exist "rich tooltip plugins" which may render the title attribute as HTML. So in this case encoding is a good thing. But how can I know that?

Perhaps HttpUtility.HtmlEncode isn't the right solution and I have to filter only HTML tags but not encode simple special characters to make sure that the plain text is displayed correctly and to protect "rich HTML tooltips" at the same time. But it looks like a costly work - only for a simple tooltip.

+7  A: 

Always sanitize output to the browser.

If a value like "><script>blabla</script> is inserted as a value for your fields, a user can essentially take over your entire site. It will probably make a mess when it comes to validation and correct code, but the script will still be run.

So to answer your question: No, it is not guaranteed that HTML-title attributes are displayed as plain text if the user knows what he/she is doing.

Arve Systad  2010-06-27 13:45:23
Honestly I don't understand why a user can "take over the entire site" when I send this script tag to his/her browser in a title attibute. Can you explain that?
Slauma  2010-06-27 16:32:04
For example, a skilled user can run an external script that modifies your site (on the client side) to send the user to his or her own fake site when clicking links etc. This way he/she can make non experienced users give away their passwords or other sensitive information.Or it can be as simple as putting an absolutely positioned DIV "on top" of your entire page, making it unusable.
Arve Systad  2010-06-27 17:15:48
@Arve: I guess there is a misunderstanding about my question. I am aware of the danger of cross site scripting you seem to talk about. But in my case there are even not any form controls on the page where the user could enter anything and post it back to the server. How could someone inject script in a title attribute of a span element and make it happen that it will ever reach other peoples browser? I have edited my question and tried to clarify the question.
Slauma  2010-06-27 17:59:44
What if the name-value closes the title attribute and span element, so the final output is *<span title=""><script>...</script></span>* ? You could find a way of only replacing the < and > characters, and not encoding the rest. Should work fine if you use UTF-8 for your page anyways.
Arve Systad  2010-06-27 18:09:49
Ah, now I understand your example. So I think I will replace the HtmlEncode for the Tooltip attribute by a little handwritten "TooltipEncode" which replaces < and >. Thank you for explanations!
Slauma  2010-06-27 18:22:34
+2  A: 

Beside security reasons:

Title attributes should always be plain text but certain JS plugins misuse them to display 'rich' tooltips (i.e. HTML code with bold text, emphasis, links and so on).

As for browsers and AFAIK they are displayed as plain text and tooltips, never displayed to those who use tabbed navigation (keyboard) and scren readers give to their users (blind and partially sighted people) many options, like reading the longest between link title and its text or always title or never ...

Felipe Alsacreations  2010-06-27 13:49:33
Thanks! Those "rich tooltip plugins" are what I was afraid of. I wasn't sure if they exist.
Slauma  2010-06-27 16:42:23
Their existence has no bearing on the need to sanitize output to the browser. If some user employs Greasemonkey to hook in a fancy JS tooltip library, it would be on them to deal w/ any incompatibilities. There shouldn't be any in this hypothetical as any styling would be applied to whatever value is held in the title attribute(s).
George Marian  2010-06-27 18:20:48
A: 

Another point:

Who cares how the title attribute is rendered by a browser, when it is the presence of malicious strings in the source code that could present an issue?

It doesn't matter how it is displayed, the question is: how does it appear in the source code?

(As already stated, if you're pumping strings to the client, do something to sanitize those strings.)

George Marian  2010-06-27 14:00:54
What do you mean with "source code" in this context? Do you mean the database content? In my situation I cannot control the content of my database fields since it comes from external interfaces (not entered via a browser) and the content is not only displayed in a browser but is also exported into other formats - like simple text files. So encoding before I store in the database wouldn't be a good solution. Of course I encode when I send database content to the browser. Only for the title attribute I wasn't sure if that is necessary, hence my question.
Slauma  2010-06-27 16:39:47
The HTML source that's sent to the browser for display (rendering). Basically, any strings that are sent to the browser, which are not under your control. Obviously, the source you type into your PHP files/templates is under your control. Content in the DB, which comes from users/external-sources or may be somehow editable by users -- think possible SQL injection -- is always suspect.
George Marian  2010-06-27 18:10:49
Also, you are correct, you rarely -- if ever -- want to encode the data going into your database; aside from quoting it to avoid SQL injection attacks.
George Marian  2010-06-27 18:14:00

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?