WebUtility.HtmlEncode and WebUtility.HtmlDecode

Introduction

Previously I shared around six articles on security , in this article I am going to explain what is html encoding and how It prevent from xss attacks in web application and also I a am going to explain html decoding with sample example.

HtmlEncode

WebUtility.HtmlEncode Method converts a string to an HTML-encoded string.

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application.

WebUtility.HtmlEncode converts characters as follows,

=> The apostrophe character (‘) is converted to '
=> The less-than character (<) is converted to &lt;.
=> The greater-than character (>) is converted to &gt;.
=> The ampersand character (&) is converted to &amp;.
=> The double-quote character (") is converted to &quot;.

Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#<number>, where is the ASCII character value.

HTML encode and Cross Site Scripting

What is XSS?

Cross Site Scripting (often abbreviated as XSS) when attacker uses web application send or injects malicious code like browser script, to different user. This malicious script executes and access user resources, trusted website data, website critical information. More info… http://www.codechef4u.com/post/2015/06/29/Anti-Cross-Site-Scripting-Library

HTML encode used to prevent possible XSS attack?

Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.

It prevents XSS (cross site scripting) attacks, means that if you are going to save some data In database that allow following script and you used WebUtility.HtmlEncode method to encode string in that case following actual string special characters (i.e “< “is converted to “&lt”) converted into safe plain string.

  In web environment this script will be rendered safely rather than actually executing script.

Actual Script:

<script type="text/javascript">
    function FetchSomeCriticlInfo() { /* some dangerous script code */ }
</script>

In this case, Server.HTMLEncode would encode the <, >, and " characters leaving this:

Encoded Script:

<script type="text/javascript">
    function FetchSomeCriticlInfo() { /* some dangerous script code*/ }
</script>

This script, if rendered in the browser will look like this

<script type="text/javascript"> function FetchSomeCriticlInfo() { /* some dangerous script code */ }
</script>

HTML Decode

WebUtility.HtmlDecode(String) Method converts a string that has been HTML-encoded for HTTP transmission into a decoded string.

HtmlDecode(String, TextWriter) overloaded method converts a string that has been HTML-encoded into a decoded string, and sends the decoded string to a TextWriter output stream.

Example

Follwing address is encoded using WebUtility.HtmlEncode Method

Encoded Address:

Bill Address
Nagnath Kendre
Kendre&apos;s Villa,Kendrewadi
Mahrashtra,India.

If I want to use this address into email or display to user I require to decode this &apos; string to actual character.

Following Address is Decoded using WebUtility.HtmlDecode Method

Decoded Address:

Bill Address
Nagnath Kendre
Kendre’s Villa,Kendrewadi
Mahrashtra,India.

धन्यवाद मित्रानो !! Thanks  friends !!

Creating Dynamic HTML table using C# in Windows Form/Windows Service/Library Project

In this code example post I will explain how to create Dynamic HTML table using C# in Windows Form/Console Application/Windows Service/Windows Library project.

   For example, I want to send products detail email in proper html table format using existing C# generic Product list data. In following code example I will share code only to create dynamic html table and in next code example post I will share html table with email code.

C# Code

   public class DynamicHtmlTable
    {
        //table tag constants
 
        private const string HtmlTableStart = "<table cellspacing=0 cellpadding=0 style=\"border-collapse:collapse; text-align:center;\">";
 
        private const string HtmlTableEnd = "</table>";
 
        private const string HtmlTrStart = "<tr>";
 
        private const string HtmlTrEnd = "</tr>";
 
        private const string HtmlThStart = "<th style=\" border-color:#5c87b2; border-style:solid;text-align:center;border-width:thin;\">";
 
        private const string HtmlThEnd = "</th>";
 
        private const string HtmlTdStart = "<td style=\" border-color:#5c87b2; border-style:solid;border-width:thin;\">";
 
        private const string HtmlTdEnd = "</td>";
 
 
        public void GetTableData()
        {
            var Products=Dal.DAL.GetProducts();
            var EmailData = BuildDynamicTable(Products, "Dynmaic Html Table").ToString();
        }
 
        //This method creates dynamic table
        private StringBuilder BuildDynamicTable(List<Product> Products,string appName)
        {
            var DynamicTable = new StringBuilder();
 
            DynamicTable.AppendFormat("<h2>CodeChef4u Example To Create{0}</h2>", appName);
 
            //dynamic table
 
            DynamicTable.AppendLine(HtmlTableStart);
 
            //header row
            CreateTableHeaderRow(DynamicTable);
 
            //table row
            foreach (var product in Products)
            {
                CreateTableRow(product, DynamicTable);
            }
            //Table ends
            DynamicTable.AppendLine(HtmlTableEnd);
 
            return DynamicTable;
        }
 
        //This method create table header row with columns names
        private static void CreateTableHeaderRow(StringBuilder DynamicTable)
        {
 
            DynamicTable.AppendLine(HtmlTrStart);
 
            DynamicTable.AppendLine(HtmlThStart + "Name" + HtmlThEnd);
 
            DynamicTable.AppendLine(HtmlThStart + "Category" + HtmlThEnd);
 
            DynamicTable.AppendLine(HtmlThStart + "Price" + HtmlThEnd);
 
            DynamicTable.AppendLine(HtmlThStart + "Image URL" + HtmlThEnd);
 
            DynamicTable.AppendLine(HtmlTrEnd);
 
        }
 
 
         //This method create new table row with data
        private static void CreateTableRow(Product Product,
 
           StringBuilder emailDynamicTable)
        {
 
            emailDynamicTable.AppendLine(HtmlTrStart);
 
            emailDynamicTable.AppendLine(HtmlTdStart + Product.ProductName + HtmlTdEnd);
 
            emailDynamicTable.AppendLine(HtmlTdStart + Product.CategoryId + HtmlTdEnd);
 
            emailDynamicTable.AppendLine(HtmlTdStart + Product.Price + HtmlTdEnd);
 
            emailDynamicTable.AppendLine(HtmlTdStart + Product.ImageUrl + HtmlTdEnd);
 
            emailDynamicTable.AppendLine(HtmlTrEnd);
 
        }
 
 
    }
 

Difference between foreign key and primary key:

In this post I will share key differences between foreign key and primary key.

Primary Key:

The PRIMARY KEY uniquely identifies each record in a database table; main goal is to prevent duplicate values for columns and provides unique identifier to each column.

Foreign key:

Foreign key is a column or field in current table and primary key of another table, the foreign key points to another table using primary key of that table.

Differences:

Following table shows all possible differences between MS-SQL Server table primary key and foreign key.

  धन्यवाद मित्रानो, आपला प्रत्येक दिवस आनंदी आणि सुखी जावो