0

I have a literal control being used to display HTML coming from DB. I did face some XSS issues and implemented Anti-XSS Security Runtime Engine (SRE) to automatically encode all html markup. e.g.

DB : <p align="center"></p>

Anti-XSS encodes it as : 

&#60;p align&#61;&#34;center&#34;&#62;&#160;&#60;&#47;p&#62

However, when I am setting text property of literal content from code behind, I was expecting that the literal control will DECODE the proper html and display the rendered version. Instead, it is showing the ENCODED version.

Thus literal control displays - <p align="center"></p> postrender. I understand it is Anti-xss in action but how can I get the literal control to show the rendered HTML instead of markup? 

ASPX - <asp:Literal ID="ltPageContent" runat="server"></asp:Literal>
Code behind on page load - ltPageContent.Text = getPageContent("home")'Gets HTML from DB

Am I missing something simple here?

Improve this question

2 Answers 2

Reset to default
1

Without considering XSS risks, you may forget LiteralControl here and use inline codes instead:

ASPX:

<%= Server.HtmlDecode(YOUR_STRING) %>
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, but I prefer not to have any code in aspx. Any solution at code-behind?
well, you need a server-side html control as your container and set your html string to its InnerHtml property. For example, put a <div id="container" runat="server"></div> in your aspx page, and then the behind codes could be "container.InnerHtml = Server.HtmlDecode(YOUR_STRING); "
0

You can also use the "Mode" property with a value of "PassThrough":

<asp:Literal ID="ltPageContent" runat="server" Text="Html Here" 
             Mode="PassThrough" />

I do advise to check for XSS before data is passed here though.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.