Encoded HTML in database back to page

Question

I have the following encoding in the database:

<p>
Content <span style="color: #ffffff"><span style="background-color: #ff0000">1+1+1+1=4</span></span>.</p>

I want to put this value into a HTML div tag.

Do I decode the above value before sending it back to clientside, or do I decode it at clientside?

I am using jquery and asp.net (vb)

This is my jquery, which just displays the json data as html on screen, instead of popping up in an alert box.

    function get_page( id ) {
        $.ajax({
            url: 'get_json.aspx?rand=' + Math.random(),
            type: 'POST',
            data: { intPageID:id },
            dataType: 'json',
            success: function(results) { 
                alert(results);
                /*
                $('input#txtID').val(results.id);
                $('input#txtHeading').val(results.heading);
                $('textarea#taContent').val(results.content);
                */
            }
        });

This is a followup question to: Encode HTML before POST

Answer 1

It a matter of style/preference because you obviously can get it rendered either way.

I would render it on server-side:

• save bandwidth (encoding overhead + decoding script)
• keep output simpler, faster and with less javascript
• hide internal details from html output. Users don't have to know that some pieces of page is stored in DB as html.

If you're paranoid then decode in the same layer where you encode (or using the same tools) - this will help avoid misunderstandings what "encoded" exactly means;)

Answer 2

You can decode it before it goes to the client side.

There is no need to decode with javascript if you are passing through asp.net anyways.

Answer 3

I wouldn't encode it all, and send it back inside a string literal (make sure you replace " with \"). It can then be injected into the page using:

$('textarea#taContent').html(results.content);