Monday, November 14, 2005
HtmlEncode to keep comments safe
Ensure that you escape any hidden malicious script within comments posted to your blog or discussion board. Use the HtmlEncode method to encode everything and then selectively re-encode the safe Html characters you wish to support.
This means that when someone adds in a SCRIPT element, it will be harmlessly encoded as and so will not be interpreted and executed by the browser.
An example is show below.
StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(comments.Text));
sb.Replace("<b>", "<b>");
sb.Replace("<i>", "<i>");
sb.Replace("</b>", "</b>");
sb.Replace("</i>", "</i>");
SaveData(sb.ToString());
read 0 comments |
This means that when someone adds in a SCRIPT element, it will be harmlessly encoded as and so will not be interpreted and executed by the browser.
An example is show below.
StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(comments.Text));
sb.Replace("<b>", "<b>");
sb.Replace("<i>", "<i>");
sb.Replace("</b>", "</b>");
sb.Replace("</i>", "</i>");
SaveData(sb.ToString());
read 0 comments |
connect AT stevenR2.com
connect AT stevenR2.com
SkypeStevenR2
Also made in Scotland