HtmlEncode for all controls
in [ASP]
|
From: jaja on 9 Apr 2008 08:46 Hello all, I am familiar with the HtmlEncode Server method. I also read this : http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx My question is: If I want to encode all inputs from user, can I apply this encoding for all "Input" fields on my site in a single action. Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc. Many thanks.
From: Bob Barrows [MVP] on 9 Apr 2008 08:53 jaja wrote: > Hello all, > I am familiar with the HtmlEncode Server method. > > I also read this : > http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx > > My question is: If I want to encode all inputs from user, can I apply > this encoding for all "Input" fields on my site in a single action. > > Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc. No. Actually you want to use HtmlEncode when writing data to Response, not when reading data from a user -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
From: jaja on 9 Apr 2008 09:05 > No. > Actually you want to use HtmlEncode when writing data to Response, not > when reading data from a user > > -- > Microsoft MVP -- ASP/ASP.NET > Please reply to the newsgroup. The email account listed in my From > header is my spam trap, so I don't check it very often. You will get a > quicker response by posting to the newsgroup. Thanks for the prompt reply. I am new to web development. It may be that I didn't clear myself well. For example, I have the following html_encode1.asp file: ------------------------------------------------------ <%@ language="vbscript"%> <html> <body> <form action="html_encode1.asp" method="post"> <input type="text" name="txtbox"> <textarea name="txtarea" width=50 height=30/></textarea> <input type="submit" value="Submit" /> </form> <% dim fname fname=Request.Form("txtarea") fname = Server.HTMLEncode(fname) If fname<>"" Then Response.Write("Hello " & fname & "!<br />") Response.Write("How are you today?") End If %> </body> </html> ------------------------------------------------------ Please disregard the content. It is not the issue. As you can see I have here 2 input controls: A TextBox and a TextArea. On both I need to operate the HtmlEncode for security purpuses. Now suppose I have 100 controls per page and 100 pages (I am exaggerating of course, but just for theory prupuses). Should I now activate HtmlEncode for each on of the controls per each one of the pages? Thanks again.
From: Bob Barrows [MVP] on 9 Apr 2008 09:35 jaja wrote: >> No. >> Actually you want to use HtmlEncode when writing data to Response, >> not when reading data from a user >> > > Thanks for the prompt reply. > I am new to web development. > It may be that I didn't clear myself well. > No, I totally understood your question, and my answer still stands. You're not "activating HtmlEncode": You are calling a method called HTMLEncode that is contained in the Server object. That method replaces certain characters in the string provided via the argument with the HTML codes for those characters and returns the resulting string to the calling procedure. There is no shortcut here, except for eliminating one unnecessary line of code. All you really need is: fname=Request.Form("txtarea") If fname<>"" Then Response.Write("Hello " & _ Server.HTMLEncode(fname) & "!<br />") Response.Write("How are you today?") End If Again, the only place you need to use the method is when you are actually writing the value to response. There is no value, security or otherwise, to using it anywhere else. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
From: jaja on 9 Apr 2008 10:12
Ok, Thank you Bob. |