HtmlEncode for all controls

Discussion in 'ASP General' started by jaja, Apr 9, 2008.

  1. jaja

    jaja Guest

    Hello all,
    I am familiar with the HtmlEncode Server method.

    I also read this : http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

    My question is: If I want to encode all inputs from user, can I apply
    this encoding for all "Input" fields on my site in a single action.

    Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

    Many thanks.
    jaja, Apr 9, 2008
    #1
    1. Advertising

  2. jaja wrote:
    > Hello all,
    > I am familiar with the HtmlEncode Server method.
    >
    > I also read this :
    > http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx
    >
    > My question is: If I want to encode all inputs from user, can I apply
    > this encoding for all "Input" fields on my site in a single action.
    >
    > Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.


    No.
    Actually you want to use HtmlEncode when writing data to Response, not
    when reading data from a user

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Apr 9, 2008
    #2
    1. Advertising

  3. jaja

    jaja Guest

    > No.
    > Actually you want to use HtmlEncode when writing data to Response, not
    > when reading data from a user
    >
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.


    Thanks for the prompt reply.
    I am new to web development.
    It may be that I didn't clear myself well.

    For example, I have the following html_encode1.asp file:

    ------------------------------------------------------
    <%@ language="vbscript"%>
    <html>
    <body>
    <form action="html_encode1.asp" method="post">
    <input type="text" name="txtbox">
    <textarea name="txtarea" width=50 height=30/></textarea>
    <input type="submit" value="Submit" />
    </form>

    <%
    dim fname
    fname=Request.Form("txtarea")
    fname = Server.HTMLEncode(fname)
    If fname<>"" Then
    Response.Write("Hello " & fname & "!<br />")
    Response.Write("How are you today?")
    End If
    %>
    </body>
    </html>
    ------------------------------------------------------

    Please disregard the content. It is not the issue.
    As you can see I have here 2 input controls: A TextBox and a TextArea.
    On both I need to operate the HtmlEncode for security purpuses.
    Now suppose I have 100 controls per page and 100 pages (I am
    exaggerating of course, but just for theory prupuses).
    Should I now activate HtmlEncode for each on of the controls per each
    one of the pages?

    Thanks again.
    jaja, Apr 9, 2008
    #3
  4. jaja wrote:
    >> No.
    >> Actually you want to use HtmlEncode when writing data to Response,
    >> not when reading data from a user
    >>

    >
    > Thanks for the prompt reply.
    > I am new to web development.
    > It may be that I didn't clear myself well.
    >

    No, I totally understood your question, and my answer still stands.
    You're not "activating HtmlEncode": You are calling a method called
    HTMLEncode that is contained in the Server object. That method replaces
    certain characters in the string provided via the argument with the HTML
    codes for those characters and returns the resulting string to the
    calling procedure.

    There is no shortcut here, except for eliminating one unnecessary line
    of code. All you really need is:

    fname=Request.Form("txtarea")
    If fname<>"" Then
    Response.Write("Hello " & _
    Server.HTMLEncode(fname) & "!<br />")
    Response.Write("How are you today?")
    End If

    Again, the only place you need to use the method is when you are
    actually writing the value to response. There is no value, security or
    otherwise, to using it anywhere else.

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Apr 9, 2008
    #4
  5. jaja

    jaja Guest

    Ok, Thank you Bob.
    jaja, Apr 9, 2008
    #5
  6. jaja wrote:
    > Hello all,
    > I am familiar with the HtmlEncode Server method.
    >
    > I also read this :
    > http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx
    >
    > My question is: If I want to encode all inputs from user, can I apply
    > this encoding for all "Input" fields on my site in a single action.
    >
    > Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.
    >
    > Many thanks.


    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Apr 9, 2008
    #6
  7. jaja wrote:
    > Hello all,
    > I am familiar with the HtmlEncode Server method.
    >
    > I also read this :
    > http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx
    >
    > My question is: If I want to encode all inputs from user, can I apply
    > this encoding for all "Input" fields on my site in a single action.
    >
    > Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.
    >
    >


    Actually, you could write your own function and include it via SSI in
    all your pages:

    ProcedureLibrary.asp
    <%
    Sub WriteToResponse(sData, bEncode)
    If bEncode Then
    Response.Write Server.HTMLEncode(sData)
    Else
    Response.Write sData
    End If
    End Sub
    %>

    Then in your html_encode1.asp page:

    <!--#include file=procedureLibrary.asp-->
    <%
    dim fname
    fname=Request.Form("txtarea")
    If fname<>"" Then
    WriteToResponse "Hello " & fname, true
    WriteToResponse "!<br />",false
    WriteToResponse "How are you today?", false
    End If
    %>

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Apr 9, 2008
    #7
  8. jaja

    jaja Guest

    On 9 ×פריל, 18:02, "Bob Barrows [MVP]" <>
    wrote:
    > jaja wrote:
    > > Hello all,
    > >  I am familiar with the HtmlEncode Server method.

    >
    > >  I also read this :
    > >http://msdn2.microsoft.com/en-us/library/a2a4yykt(VS.80).aspx

    >
    > >  My question is: If I want to encode all inputs from user, can I apply
    > > this encoding for all "Input" fields on my site in a single action.

    >
    > >  Something like Input.HtmlEncodeAll() or HtmlEncodeAllInputs() etc.

    >
    > Actually, you could write your own function and include it via SSI in
    > all your pages:
    >
    > ProcedureLibrary.asp
    > <%
    > Sub WriteToResponse(sData, bEncode)
    > If bEncode Then
    >     Response.Write Server.HTMLEncode(sData)
    > Else
    >     Response.Write sData
    > End If
    > End Sub
    > %>
    >
    > Then in your html_encode1.asp page:
    >
    > <!--#include file=procedureLibrary.asp-->
    > <%
    > dim fname
    > fname=Request.Form("txtarea")
    > If fname<>"" Then
    >       WriteToResponse "Hello " & fname, true
    >       WriteToResponse "!<br />",false
    >       WriteToResponse "How are you today?", false
    > End If
    > %>
    >
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.


    Thank you Bob for the nice tip.
    I would have hoped there will we maybe a Server object property which
    I will be able to set and it will do the work, but apparently there
    isn't.
    Thanks, again!
    jaja, Apr 10, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michal Raatz

    DataGrid and Htmlencode

    Michal Raatz, Jul 29, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    466
    Michal Raatz
    Jul 29, 2003
  2. Makarand
    Replies:
    0
    Views:
    970
    Makarand
    Nov 6, 2003
  3. Andrea Williams

    Problem with C# Class and Server.HTMLEncode

    Andrea Williams, Jan 27, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    22,207
    Michael Earls
    Jan 27, 2004
  4. Anders Both

    Unicode and HtmlEncode

    Anders Both, Feb 18, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    4,674
    Anders Both
    Feb 18, 2004
  5. AFN
    Replies:
    8
    Views:
    7,676
    =?Utf-8?B?QW5keSBaIFNtaXRo?=
    Jun 16, 2004
Loading...

Share This Page