ASP.NET Server.HtmlEncode Wont Encode €
I know that the EURO currency symbol (€) is encoded as € in HTML, but the System.Web.HttpUtility.HtmlEncode("€") doesnt encode it at all. Does anyone know why that is? ...
I know that the EURO currency symbol (€) is encoded as € in HTML, but the System.Web.HttpUtility.HtmlEncode("€") doesnt encode it at all. Does anyone know why that is? ...
I'm working through NerdDinner and I'm a bit confused about the following section... First they've added a form for creating a new dinner, with a bunch of textboxes delcared like: <%= Html.TextArea("Description") %> They then show two ways of binding form input to the model: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() ...
I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is the...
I'm working in a Repeater over blog posts and I'm displaying a ShareThis JavaScript piece at the bottom. The Title and URL of the post are being sent to JS. In one test case, the title of a post has a single quote, e.g. Mark's test post Since I need to preserve that single quote when being sent to ShareThis, I need to wrap that Jav...
I'm trying to add a Javascript function to the onLoad event of a asp:Panel. It goes something like this: string clickFunction = "$('[id*=lblHiddenPageArray]').text('');" PagesPanel.Attribues.Add("onLoad", clickFunction); I'm attaching this function to other controls (Checkboxes and Buttons) and it's working fine. But in the PagesPa...
My company requires our ASP.NET code to pass a Fortify 360 scan before releasing the code. We use AntiXSS everywhere to sanitize HTML output. We also validate input. Unfortunately, they recently changed the "template" Fortify was using and now it's flagging all our AntiXSS calls as "Poor Validation". These calls are doing things like Ant...
I have a script that is rendered to an html page as a part of a tracking solution (etracker). It is something like this: <script> var et_cart= 'nice shoes,10.0,100045;nice jacket,20.00,29887'; </script> This will be transmitted to the server of the tracking solution by some javascript that I don't control. It will end up as 2 items. ...
As ScottGu says in his blog post «by default content emitted using a @ block is automatically HTML encoded to better protect against XSS attack scenarios». My question is: how can you output a non-HTML-encoded string? For the sake of simplicity, pls stick to this simple case: @{ var html = "<a href='#'>Click me</a>" // I want to emit...
I'm trying to write the dagger '†' symbol to a HTML page which gets converted to a PDF document, but this appears on the PDF as 'â€' I understand that I need to use the HTML code for this symbol, which is †. I've done this successfully for the '€' but in these cases I've written the code directly into the HTML. In this case, I'm...
My data coming from the database might contain some html. If I use string dataFromDb = "Some text<br />some more <br><ul><li>item 1</li></ul>"; HttpContext.Current.Server.HtmlEncode(dateFromDb); Then everything gets encoded and I see the safe Html on the screen. However, I want to be able to execute the safe html as noted in the data...
I have a Winform application in which I am checking if a fully qualified file name c:\somefolder\my file name.txt exists in the XML. Unfortunately, the XML holds the strings html encoded so c:\somefolder\my file name.txt becomes c:/somefolder/my%20file%20name.txt (not the change from backslash to forwardslash, and the %20 instead of bla...
The HttpUtility class provides for both encoding and decoding. But, when I use the MS AntiXSS 3.1 Library I have a set of methods only for encoding, does this mean decoding can be avoided? For example Before applying AntiXSS: lblName.Text = "ABC" + "<script> alert('Inject'); </script"; After applying AntiXSS: lblName.Text = AntiXSS...
The problem is this: You have a textbox, you type in some text, send it to the server. On another page, that value is retrieved and displayed on screen in a textbox and a label. It's important to stop scripting attacks, and asp.net won't let you submit unsafe code, so on submit you javascript replace < with < and the same for > Whe...
I wish to encode my HTML sent to the browser. In my .ASPX pages I can use the <%: %> syntax. In a HTML helper of mine I try... public static string Image(this HtmlHelper helper, string imageName, string altText) { return helper.Encode(String.Format("<image src='/images/{0}' alt='{1}' />", imageName, altText)); } ...