Is there any need to use Html.Encode for an internal site?

views:

answers:

Is there any need to use Html.Encode for an internal site?

I'm having some problems with Html.Encode and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode? Is there any possiblity that someone would inadvertently submit some special characters which cause problems?

Or is there a better way around this problem?

+1 A:

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode

Yes, yes and yes again. There's always a risk by someone entering special characters in input fields. The golden rule of web development is never trust user input and always encode anything that might come from an user input.

Darin Dimitrov 2010-10-12 11:20:42

So then how can I display the actual text entered instead of the html codes?

fearofawhackplanet 2010-10-12 11:31:12

By Html encoding it: `<%= Html.Encode("some text that might contain dangerous characters") %>` or in ASP.NET 4.0 `<%: "some text that might contain dangerous characters" %>`.

Darin Dimitrov 2010-10-12 11:36:26

I'm confused... that's exactly what I am doing, and I'm ending up with my textboxes full of codes like `°` instead of the actual text the user entered. These codes then throw an error if they are re-submitted.

fearofawhackplanet 2010-10-12 11:39:41

How are you generating those textboxes? Are you using html helpers?

Darin Dimitrov 2010-10-12 11:40:43

@Darin, yes they are MVC html helpers

fearofawhackplanet 2010-10-12 12:50:37

So I don't understand what the problem is. Maybe showing your current code will help.

Darin Dimitrov 2010-10-12 12:52:09

Check everywhere you are calling Html.Encode as it sounds like you're double encoding your strings (possibly encoding on save and on display or encoding on a template/partial and encoding that again).

And yes always encode your strings even if it's internal, otherwise one disgruntled employee could cause some serious damage.

Chao 2010-10-12 12:18:55

Firstly the characters are replaced by the html codes and so are not displayed properly

You are double encoding. You actually want to Html.Encode to display the HTML tags the user entered at all. Unless you actually want things like <ul><li> to be a bullet list instead of showing the tags.

And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.

Whatever you did to allow the initial submission of those, will work to allow edit. Again, maybe because of the double encoding, you are getting into further issues.

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode?

Deep down You already know that way of seeing security is wrong ;)

eglasius 2010-10-12 14:01:01

ansaurus

tags:

views:

answers:

Is there any need to use Html.Encode for an internal site?

related questions