I have a FreeTextBox editor set up on a page for clients to HTML format the data they enter. I collect the data, encode it and save it to the DB. Upon retrieval, I decode it and display it in a literal control.
Everything I'm reading to prevent an XSS attack says it should be encoded in the literal control. But if I do that, the data won't display how the client formatted it - it displays as encoded text.
So, how do I show the formatted data (html) in the literal control and prevent a XSS attack at the same time?
View Complete Post