.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

HTMLEncode and HTMLDecode

Posted By:      Posted Date: October 06, 2010    Points: 0   Category :ASP.Net

Hello world,

Trying to protect against XSS on a CMS I'm working and I therefore encode all necessary client input but on retrieval from DB, I'm getting all these funny HTML characters displayed on the HTML Page as a result of the encoding.

I'm considering appending a decode on retrieval but I'm wondering what the point of the inital encoding is if I decode eventually.

Please how do I effectively mitigate the XSS issue using the encode/decode avenue.

Thanks in advance!

View Complete Post

More Related Resource Links

Server.HtmlEncode to all controls



I have used Server.HtmlEncode(MY TEXT) to display data,

I have setted the  page property validateRequest="false" in .config file,

all this is working fine.

since I have large application using hundreds of labels and text boxes to show data,

so, now it is almost impossible ( time consuming ) for me to place Server.HtmlEncode(MY TEXT) every where while setting data to them e.g. in label.text, textbox.text, etc

is there is any way to set the property some where and all the labels and text boxes automatically use Server.HtmlEncode() when i set there textSmile

HttpUtility.HtmlEncode in javaScript?


Hi there,

I'm looking for to encode both  the "&lt; to < and &gt for > but not getting the right value for it, so I'm wondering if there is a way to encode the Html in the javaScript and call it at the control ID, I try something like this in the JavaScript but it's not working, Does anyone know how to do it ?  thanks..

string e = "<script lang='javascript' />";

string e1 = HttpUtility.HtmlEncode(e);

string e2 = HttpUtility.HtmlAttributeEncode(e);

e1 =
"&lt;script lang='javascript' /&gt;"

e2 = "<script lang='javascript' />"


<asp:dropdownlist id

DataFormatString not working in GridView even if HtmlEncode="false"


Hello everybody,

My following bound column in GridView is not displayed with the currency formatting that I have apllied.

Please help me to find the solution. I am able to format my columns for Date but not for numbers and currency. somewhere i found that putting HtmlEncode="false" will work. But it is also not working in my case.

<asp:BoundField DataField="LoanAmount" HeaderText="Loan Amount" SortExpression="LoanAmount" DataFormatString="{0:C}" HtmlEncode="false">

 thanks in advance. please help me to find the solution.



Server.HTMLDecode works but modal popup doesn't close



As the title of this post already mentioned, I'm using a modal popup window to edit rows in the gridview. One column in the gridview contains an URL code. When I fire the edit button a popup opens and show the URL in a textbox in this format: &lt;http://blablaba/re?add=14&amp;t=2&quot; /&gt;

When I am using the Server.HTMLDecode function, the modal popup doesn't close anymore.

I am using the following code:

<div style="text-align: right; width: 262px">
    <asp:Button ID="BtnCancel" runat="server" Text="Cancel" OnClick="BtnCancel_Click" />

<asp:LinkButton ID="lnkFake" runat="server"></asp:LinkButton>
<asp:LinkButton ID="lnkFakeOk" runat="server"></asp:LinkButton>

<ajaxToolkit:ModalPopupExtender ID="MPE_edit" runat="server" DropShadow="true" PopupControlID="pnlAddEdit"
                TargetControlID="lnkFake" CancelControlID="lnkFakeOk" BackgroundCssClass="modalBackground">

txtURL.Text = Server.HtmlDecode(row.Cells[3].Text);

The funny thing is, when I change it to: txtURL.Tex

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend