.comment-link {margin-left:.6em;}
Books & Articles I wrote.

Monday, November 14, 2005

 

HtmlEncode to keep comments safe

Ensure that you escape any hidden malicious script within comments posted to your blog or discussion board. Use the HtmlEncode method to encode everything and then selectively re-encode the safe Html characters you wish to support.

This means that when someone adds in a SCRIPT element, it will be harmlessly encoded as and so will not be interpreted and executed by the browser.

An example is show below.

StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(comments.Text));
sb.Replace("&lt;b&gt;", "<b>");
sb.Replace("&lt;i&gt;", "<i>");
sb.Replace("&lt;/b&gt;", "</b>");
sb.Replace("&lt;/i&gt;", "</i>");

SaveData(sb.ToString());


This page is powered by Blogger. Isn't yours?

Weblog Commenting and Trackback by HaloScan.com