tags:

views:

327

answers:

5
Q: 

How to handle encoded inputs that need to be edited?

Using Microsoft's AntiXssLibrary, how do you handle input that needs to be edited later?

For example:

User enters: <i>title</i>

Saved to the database as: <i>title</i>

On an edit page, in a text box it displays something like: &lt;i&gt;title&lt;/i&gt; because I've encoded it before displaying in the text box.

User doesn't like that.

Is it ok not to encode when writing to an input control?

Update:

I'm still trying to figure this out. The answers below seem to say to decode the string before displaying, but wouldn't that allow for XSS attacks?

The one user who said that decoding the string in an input field value is ok was downvoted.

A: 

Yes, the code inside input boxes is safe from scripting attacks and does not need to be encoded.

smazurov  2008-11-28 01:27:57
A: 

You can call HTTPUtility.HTMLDecode(MyString) to get the text back to the unencoded form.

Kibbee  2008-11-28 01:29:08
One of the problems I face is that I'm using the AntiXssLibrary and it doesn't seem to have an HtmlDecode method. I might be wrong though.
metanaito  2008-11-28 20:12:02
+1  A: 

Your problem appears to be double-encoding; the HTML needs to be escaped once (so it can be inserted into the HTML on the page without issue), but twice leads to the encoded version appearing literally.

Rob  2008-11-28 01:35:47
What about when you are inserting it into an input field so that users can edit it? Should it be encoded?
metanaito  2008-11-28 17:12:13
+2  A: 

Looks like you're encoding it more than once. In ASP.NET, using Microsoft's AntiXss Library you can use the HtmlAttributeEncode method to encode untrusted input:

<input type="text" value="<%= AntiXss.HtmlAttributeEncode("<i>title</i>") %>" />

This results in 

<input type="text" value="&#60;i&#62;title&#60;&#47;i&#62;" />
in the rendered page's markup and is correctly displayed as <i>title</i> in the input box.

Josef  2009-05-15 15:09:10
Ah, this is the answer!
metanaito  2009-05-15 18:51:37
A: 

If you are allowing users to enter HTML that will then be rendered on the site, you need to do more than just Encode and Decode it.

Using AntiXss prevents attacks by converting script and markup to text. It does not do anything to "clean" markup that will be rendered directly. You're going to have to manually remove script tags, etc. from the user's input to be fully protected in that scenario.

You'll need to strip out script tags as well as JavaScript attributes on legal elements. For example, an attacker could inject malicious code into the onclick or onmouseover attributes.

Brandon Gano  2009-07-10 18:19:37
Is this true? I was under the impression that the AntiXSS library was made for this scenario since html.encode does not handle it. A Microsoft consultant even gave a presentation about how AntiXSS handles this while html.encode does not. The point being that we should use AntiXSS. I guess I will need to test this out.
metanaito  2009-07-14 20:30:38

related questions

HTMLEncode script tags only
Chinese characters in mailto subject line of email
Regex for Encoded HTML
HTML encoded links and anchors
Make an NSURL with an encoded plus (%2B)
Is is possible to html encode output in AppEngine templates?
Why is the html attribute returned as 'htmldecoded' even if encoded in html source?
Xml Escaping/Encoding terminology
PHP - Storing Text in MySQL Database
How to stop Gridview encoding my text on edit
How to stop gridview column from automatically encoding html entities
Is there a JDK class to do HTML encoding (but not URL encoding)?
How to HTML encode a string in JavaScript from a Firefox extension
ASP.NET MVC Html.Encode - New lines
How to use HtmlEncode with TemplateFields, Data Binding, and a GridView
How do I bypass the HTML encoding when using Html.ActionLink in Mvc?
Do you HtmlEncode during input or output?
How do I perform HTML decoding/encoding using Python/Django?
HTML encode user input when storing or when displaying
Cross Site Scripting and HTML Encoding
ASP.net MVC custom string output overloaded operator <%=h
How do you htmlencode using html agility pack?
A potentially dangerous Request.Form value was detected from the client
Will HTML Encoding prevent all kinds of XSS attacks?