When encoding HTML input for security, how do I avoid encoding international characters like Ñ or ñ?

Question

I have a textarea in an ASP.NET MVC Application where the user can type some text. When I show the text to the user, I use Html.Encode to prevent malicious input. The problem is that the user can type in Spanish and maybe he types año and the Encode transforms this into a&#241o. How Can I prevent this?

EDIT: In the generated HTML, I see this:

<a href="a1-'a1'-Cama&amp;#241;o?sort=estadisticas#241;o">a1 'a1' Cama&amp;#241;o</a>

Later in the page I have this, and this time the display is correct:

<b>a1 'a1' Cama&#241;o</b>

The first is generated this way:

<%= Html.RouteLink(Html.Encode(Model.NAME),  ...... %>

and the second like this:

<%= Html.Encode(Model.NAME)%>

So my guess is that the problem is with the Html.RouteLink.

Answer 1

Are you encoding twice accidentally?

For example, if you set the Textarea's content programmatically on the server side, it will encode the content automatically on render.

Try looking at the raw HTML output of the textarea.

Normally when you put escapes inside textarea content, it should shows up in the textarea decoded (displayed as the intended unescaped character).

So it might be a problem of accidentally Html.Encode twice unnescessarily.

If your data is already escaped, you might want to un-escape (Html.Decode) it before putting it in the textarea.

Answer 2

So my guess is that the problem is with the Html.RouteLink

Yep. You're not supposed to HTML-encode the parameter going into RouteLink, it generates the HTML itself and so will take care of escaping for you.