What is the point to use Server.HtmlEncode in this piece of code

T

Tony Johansson

Hello!

In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1 < arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2 < arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}

//Tony
 
A

Arne Vajhøj

In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
Click to expand...

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.

Arne

PS: Never use Response.Write in ASP.NET !
 
T

Tony Johansson

Arne Vajhøj said:
In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
Click to expand...

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.

Arne

PS: Never use Response.Write in ASP.NET !
Click to expand...

yes I know that I should nerver use Never use Response.Write in ASP.NET !
but this is just testing to understand some asp.net

I still don't understand why it more save to use #2 then #1
1. Response.Write("Value " + loop2 + ": " + arr2[loop2] + "<br>");
2. Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2])
+ "<br>");

I mean if I click on show source when the browser is displaying the page I
get the same result for #1 and #2
so can you tell me what you mean.when you say it's about security and It
prevents embedded HTML code (including JavaScript) from being interpreted as
such by the clients.

Can you just make us a scenario that describe this.


//Tony
 
J

Jeff Johnson

Can you just make us a scenario that describe this.
Click to expand...

Response.Write("Value: " + "<script>alert(\"You've been hacked,
d00D!\");</script>");

vs.

Response.Write("Value: " + Server.HtmlEncode("<script>alert(\"You've been
hacked, d00D!\");</script>"));
 
A

Arne Vajhøj

Arne Vajhøj said:
In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
Click to expand...

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.
Click to expand...
Click to expand...
I still don't understand why it more save to use #2 then #1
1. Response.Write("Value " + loop2 + ": " + arr2[loop2] + "<br>");
2. Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2])
+ "<br>");

I mean if I click on show source when the browser is displaying the page I
get the same result for #1 and #2
Click to expand...

Not if arr2[loop2] contains HTML tags.
so can you tell me what you mean.when you say it's about security and It
prevents embedded HTML code (including JavaScript) from being interpreted as
such by the clients.
Click to expand...

It escapes/encodes data so it does not get interpreted as HTML.
Can you just make us a scenario that describe this.
Click to expand...

The right Google term is:
xss

Arne
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

dynamic controls 4
Why the performance difference with the following code loops. 2
Request.Form values returned from AllKeys not what I want. 2
Using COUNTU in VBA to delete certain values 2
Creating matrices and subsequently prosess those in a loop 2
position of user control on a asp.net page 4
Alternative to Application.Match 2
How to use the name for an array by using a variable? 6

Top