0

I'm doing some AntiXSS work. The user inputs some text which is then put through

Microsoft.Security.Application.Encoder.HtmlEncode();

and saved to the database.

This text can then be displayed in either a label or a textbox.

If I put the encoded text into the text property of a label it displays fine. If I assign it to the text property of a textbox it's displayed in it's encoded form.

How can I display the text correctly in the textbox and the label? Does the library offer any decode mechanisms?

Because of project requirements I cannot change either the library or the fact that it's encoded on the input.

Liath
  • 9,913
  • 9
  • 51
  • 81

3 Answers3

1

You can use Server.HtmlDecode or HttpUtility.HtmlDecode.

Ashwin Singh
  • 7,197
  • 4
  • 36
  • 55
  • I don't like this approach because it doesn't use the same library as was used to encode the string. However in lieu of any other solutions (or being able to find a solution myself) I will mark as the answer – Liath Aug 22 '12 at 13:14
  • There is no AntiXss.HtmlDecode. Moreover the above does not require additional libraries. – Ashwin Singh Aug 22 '12 at 13:25
1

You're doing it wrong. You should not HtmlEncode input and save it to database since there is no supported way to decode it. Rather you should save the raw information and encode it when displaying it.

Kyberias
  • 1,263
  • 1
  • 14
  • 23
  • This is the correct answer. For more details see https://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/ – SharpC Jan 20 '22 at 15:03
0

I suggest using GetSafeHtmlFragment for removing all tags and attributes that are not on the white list. Below link will be helpful.

Community
  • 1
  • 1
StackOrder
  • 270
  • 4
  • 14