What is the point to use Server.HtmlEncode in this piece of code

Tony Johansson · May 4, 2011

Hello!

In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1 < arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2 < arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}

//Tony

Arne Vajhøj · May 4, 2011

In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.

Arne

PS: Never use Response.Write in ASP.NET !

Tony Johansson · May 5, 2011

Arne Vajhøj said:
In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}

Click to expand...

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.

Arne

PS: Never use Response.Write in ASP.NET !

yes I know that I should nerver use Never use Response.Write in ASP.NET !
but this is just testing to understand some asp.net

I still don't understand why it more save to use #2 then #1
1. Response.Write("Value " + loop2 + ": " + arr2[loop2] + "<br>");
2. Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2])
+ "<br>");

I mean if I click on show source when the browser is displaying the page I
get the same result for #1 and #2
so can you tell me what you mean.when you say it's about security and It
prevents embedded HTML code (including JavaScript) from being interpreted as
such by the clients.

Can you just make us a scenario that describe this.

//Tony

Jeff Johnson · May 5, 2011

Can you just make us a scenario that describe this.

Response.Write("Value: " + "<script>alert(\"You've been hacked,
d00D!\");</script>");

vs.

Response.Write("Value: " + Server.HtmlEncode("<script>alert(\"You've been
hacked, d00D!\");</script>"));

Arne Vajhøj · May 6, 2011

Arne Vajhøj said:
Arne Vajhøj said:

In this piece of code what is the point to use statement 2 instead of
statement 1.
We just want to display the value for keys.

for (loop1 = 0; loop1< arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");

// Get all values under this key.
String[] arr2 = coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2< arr2.Length; loop2++)
{
1 Response.Write("Value " + loop2 + ": " + arr2[loop2] +
"<br>");
2 //Response.Write("Value " + loop2 + ": " +
Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}

Click to expand...

It is about security.

It prevents embedded HTML code (including JavaScript) from being
interpreted as such by the clients.

That is a big security problem if the data was entered by another
user than the one viewing it.

Click to expand...

I still don't understand why it more save to use #2 then #1
1. Response.Write("Value " + loop2 + ": " + arr2[loop2] + "<br>");
2. Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2])
+ "<br>");

I mean if I click on show source when the browser is displaying the page I
get the same result for #1 and #2

Not if arr2[loop2] contains HTML tags.

so can you tell me what you mean.when you say it's about security and It
prevents embedded HTML code (including JavaScript) from being interpreted as
such by the clients.

It escapes/encodes data so it does not get interpreted as HTML.

Can you just make us a scenario that describe this.

The right Google term is:
xss

Arne

What is the point to use Server.HtmlEncode in this piece of code

Tony Johansson

Arne Vajhøj

Tony Johansson

Jeff Johnson

Arne Vajhøj