HtmlEncode for all controls

[jaja]

Hello all,
I am familiar with the HtmlEncode Server method.

I also read this : http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

My question is: If I want to encode all inputs from user, can I apply
this encoding for all "Input" fields on my site in a single action.

Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

Many thanks.

 

[Bob Barrows [MVP]]

Hello all,
I am familiar with the HtmlEncode Server method.

I also read this :
http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

My question is: If I want to encode all inputs from user, can I apply
this encoding for all "Input" fields on my site in a single action.

Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

No.
Actually you want to use HtmlEncode when writing data to Response, not
when reading data from a user

 

[jaja]

No.

Actually you want to use HtmlEncode when writing data to Response, not
when reading data from a user

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Thanks for the prompt reply.
I am new to web development.
It may be that I didn't clear myself well.

For example, I have the following html_encode1.asp file:

------------------------------------------------------
<%@ language="vbscript"%>
<html>
<body>
<form action="html_encode1.asp" method="post">
<input type="text" name="txtbox">
<textarea name="txtarea" width=50 height=30/></textarea>
<input type="submit" value="Submit" />
</form>

<%
dim fname
fname=Request.Form("txtarea")
fname = Server.HTMLEncode(fname)
If fname<>"" Then
Response.Write("Hello " & fname & "!<br />")
Response.Write("How are you today?")
End If
%>
</body>
</html>
------------------------------------------------------

Please disregard the content. It is not the issue.
As you can see I have here 2 input controls: A TextBox and a TextArea.
On both I need to operate the HtmlEncode for security purpuses.
Now suppose I have 100 controls per page and 100 pages (I am
exaggerating of course, but just for theory prupuses).
Should I now activate HtmlEncode for each on of the controls per each
one of the pages?

Thanks again.

 

[Bob Barrows [MVP]]

Thanks for the prompt reply.
I am new to web development.
It may be that I didn't clear myself well.

No, I totally understood your question, and my answer still stands.
You're not "activating HtmlEncode": You are calling a method called
HTMLEncode that is contained in the Server object. That method replaces
certain characters in the string provided via the argument with the HTML
codes for those characters and returns the resulting string to the
calling procedure.

There is no shortcut here, except for eliminating one unnecessary line
of code. All you really need is:

fname=Request.Form("txtarea")
If fname<>"" Then
Response.Write("Hello " & _
Server.HTMLEncode(fname) & "!<br />")
Response.Write("How are you today?")
End If

Again, the only place you need to use the method is when you are
actually writing the value to response. There is no value, security or
otherwise, to using it anywhere else.

 

[jaja]

Ok, Thank you Bob.

 

[Bob Barrows [MVP]]

Hello all,
I am familiar with the HtmlEncode Server method.

I also read this :
http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

My question is: If I want to encode all inputs from user, can I apply
this encoding for all "Input" fields on my site in a single action.

Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

Many thanks.

 

[Bob Barrows [MVP]]

Hello all,
I am familiar with the HtmlEncode Server method.

I also read this :
http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

My question is: If I want to encode all inputs from user, can I apply
this encoding for all "Input" fields on my site in a single action.

Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

Actually, you could write your own function and include it via SSI in
all your pages:

ProcedureLibrary.asp
<%
Sub WriteToResponse(sData, bEncode)
If bEncode Then
Response.Write Server.HTMLEncode(sData)
Else
Response.Write sData
End If
End Sub
%>

Then in your html_encode1.asp page:

<!--#include file=procedureLibrary.asp-->
<%
dim fname
fname=Request.Form("txtarea")
If fname<>"" Then
WriteToResponse "Hello " & fname, true
WriteToResponse "!<br />",false
WriteToResponse "How are you today?", false
End If
%>

 

[jaja]

Actually, you could write your own function and include it via SSI in
all your pages:

ProcedureLibrary.asp
<%
Sub WriteToResponse(sData, bEncode)
If bEncode Then
    Response.Write Server.HTMLEncode(sData)
Else
    Response.Write sData
End If
End Sub
%>

Then in your html_encode1.asp page:

<!--#include file=procedureLibrary.asp-->
<%
dim fname
fname=Request.Form("txtarea")
If fname<>"" Then
      WriteToResponse "Hello " & fname, true
      WriteToResponse "!<br />",false
      WriteToResponse "How are you today?", false
End If
%>

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Thank you Bob for the nice tip.
I would have hoped there will we maybe a Server object property which
I will be able to set and it will do the work, but apparently there
isn't.
Thanks, again!