WebUtility.HtmlEncode and WebUtility.HtmlDecode
Introduction
Previously I
shared around six articles on security , in this article I am going to explain
what is html encoding and how It prevent from xss attacks in web application
and also I a am going to explain html decoding with sample example.
HtmlEncode
WebUtility.HtmlEncode
Method converts a string to an HTML-encoded string.
The
HTMLEncode method applies HTML encoding to a specified string. This is useful
as a quick method of encoding form data and other client request data before
using it in your Web application.
WebUtility.HtmlEncode converts
characters as follows,
=> The
apostrophe character (‘) is converted to '
=> The
less-than character (<) is converted to <.
=> The
greater-than character (>) is converted to >.
=> The
ampersand character (&) is converted to &.
=> The
double-quote character (") is converted to ".
Any ASCII
code character whose code is greater-than or equal to 0x80 is converted to
&#<number>, where is the ASCII character value.
HTML encode and Cross Site Scripting
What is XSS?
Cross Site
Scripting (often abbreviated as XSS) when attacker uses web application send or
injects malicious code like browser script, to different user. This malicious
script executes and access user resources, trusted website data, website
critical information. More info… http://www.codechef4u.com/post/2015/06/29/Anti-Cross-Site-Scripting-Library
HTML encode used to prevent possible XSS
attack?
Encoding
data converts potentially unsafe characters to their HTML-encoded equivalent.
It prevents XSS (cross site scripting) attacks,
means that if you are
going to save some data In database that allow following script and you used WebUtility.HtmlEncode
method to encode string in that case following actual string special characters
(i.e “< “is converted to “<”) converted into safe plain
string.
In web environment this script will be rendered
safely rather than actually executing script.
Actual Script:
<script type="text/javascript">
function FetchSomeCriticlInfo() { /* some dangerous script code */ }
</script>
In this case,
Server.HTMLEncode would encode the <, >, and " characters leaving
this:
Encoded Script:
<script type="text/javascript">
function FetchSomeCriticlInfo() { /* some dangerous script code*/ }
</script>
This
script, if rendered in the browser will look like this
<script type="text/javascript"> function FetchSomeCriticlInfo() { /* some dangerous script code */ }
</script>
HTML Decode
WebUtility.HtmlDecode(String)
Method converts a string that has been HTML-encoded for HTTP transmission into
a decoded string.
HtmlDecode(String, TextWriter)
overloaded method converts a string that has been HTML-encoded into a decoded
string, and sends the decoded string to a TextWriter output stream.
Example
Follwing address is encoded using WebUtility.HtmlEncode
Method
Encoded Address:
Bill Address
Nagnath Kendre
Kendre's Villa,Kendrewadi
Mahrashtra,India.
If I want to use this address into email or display to user I require to
decode this ' string to
actual character.
Following Address is Decoded using WebUtility.HtmlDecode Method
Decoded Address:
Bill Address
Nagnath Kendre
Kendre’s
Villa,Kendrewadi
Mahrashtra,India.
धन्यवाद मित्रानो !! Thanks friends !!