1

I have 2 fields a label and a Textbox.

Q1. HTML encoding should be done while saving data into database or while displaying in the aspx page?

Q2. HTML encoded label text is displayed properly in browser like as asd < pqr But in textbox it is showing ascii value of < sign.

As textboxes in asp.net are already encoded by default, should we decode it before displaying on page?

Q3.If Textbox value is decoded while displaying then what is security impact?

Q4. If I have two way binded Textbox in edittemplateitem.how to decode it's value while displaying.

Improve this question
1
  • Hi and welcome on Information Security. These questions are very specific to the asp.net platform and are better suited on stackoverflow. Please post there, preferably as distinct questions. Commented Jul 4, 2018 at 7:32

1 Answer 1

Reset to default
2

Escaping should be done as late as possible and for a given target system, this in contrast to validating, which should be done as soon as possible. Applied to your questions this would mean:

Q1: The input should not be escaped (HTML encoding) when inserting into the database, instead keep the original text. Only when displaying the text on an HTML form, should the escaping be done. To mitigate SQL-injection use prepared statements, or do an escaping for SQL, not for HTML.

Q2: Because we did not escape the text prematurely, ASP can do the escaping of the original text and no ascii codes will appear.

Q3: No decoding necessary, because we still have the original text.

Q4: As far as I know, ASP should handle this for you, your application should only have to work with the original text and can leave HTML escaping to the framework.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.