I am not able to understand why Server.HtmlEncode is required? MSDN states that it is used to encode potentially unsafe characters into HTML-encoded equivalent.
Can someone give me some idea how these characters are unsafe and require us to use Server.HtmlEncode ?
Thanks.
One example of how characters can be unsafe is if the user submits a comment on your page. If the comment form does not use HtmlEncode then anything the user has just typed will now be visible as a comment on the page. In that case, a hacker could submit a comment like the following:
<script language="javascript" type="text/javascript">
window.location = 'http://server.com/viruspage.asp';
</script>
For each subsequent user who loads the page, the script will run (because it hasn't been encoded with HtmlEncode), redirecting each user to a page with viruses. This is a very simple example, but there are many other ways to input malicious data, potentially even giving hackers administrative access to your databases.
