html-encode

“<” in a text box in ASP.NET --> how to allow it?

▼魔方 西西 提交于 2019-11-26 14:22:40
问题 I have a textfield which displays a string which contains < and >. The code throws an error because of that. How can I allow the usage of those chars in my textfield? Thanks :) 回答1: Problem is that when this gets posted to server, it will not work, doesn't matter what you try. This is the ASP.NET XSS protection, which can be disabled like so: <%@ Page ... ValidateRequest="false" %> Trouble is, you'll have to be very careful validating all the postback yourself. Easier way is to escape all the

What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?

杀马特。学长 韩版系。学妹 提交于 2019-11-26 12:10:36
问题 I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode? Indeed, I am not the first to ask this question. And, indeed, Google turns up some answers, mainly A white-list instead of black-list approach A 0.1ms performance improvement Well,

Will HTML Encoding prevent all kinds of XSS attacks?

大城市里の小女人 提交于 2019-11-26 12:03:08
I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks. Is there some way to do an XSS attack even if HTML Encode is used? No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks. For instance, consider server-generated client-side javascript - the server dynamically outputs htmlencoded values directly into the client-side javascript, htmlencode will not stop injected script from executing. Next, consider the following pseudocode: <input

Which characters need to be escaped in HTML?

三世轮回 提交于 2019-11-26 11:59:12
Are they the same as XML, perhaps plus the space one (   )? I've found some huge lists of HTML escape characters but I don't think they must be escaped. I want to know what needs to be escaped. If you're inserting text content in your document in a location where text content is expected 1 , you typically only need to escape the same characters as you would in XML . Inside of an element, this just includes the entity escape ampersand & and the element delimiter less-than and greater-than signs < > : & becomes & < becomes < > becomes > Inside of attribute values you must also escape the quote

How to reverse htmlentities()?

二次信任 提交于 2019-11-26 10:56:57
问题 For special characters like áéí , I can call htmlentities() : $mycaption = htmlentities($mycaption, ENT_QUOTES); To get the corresponding html entities: áéí How can I reverse this back to áéí ? 回答1: If you use htmlentities() to encode, you can use html_entity_decode() to reverse the process: html_entity_decode() Convert all HTML entities to their applicable characters. html_entity_decode() is the opposite of htmlentities() in that it converts all HTML entities in the string to their

HtmlEncode from Class Library

瘦欲@ 提交于 2019-11-26 10:29:08
问题 I have a class library (in C#). I need to encode my data using the HtmlEncode method. This is easy to do from a web application. My question is, how do I use this method from a class library that is being called from a console application? 回答1: Import System.Web Or call the System.Web.HttpUtility which contains it You will need to add the reference to the DLL if it isn't there already string TestString = "This is a <Test String>."; string EncodedString = System.Web.HttpUtility.HtmlEncode

Html inside XML. Should I use CDATA or encode the HTML

送分小仙女□ 提交于 2019-11-26 09:27:02
问题 I am using XML to share HTML content. AFAIK, I could embed the HTML either by: Encoding it: I don\'t know if it is completely safe to use. And I would have to decode it again. Use CDATA sections: I could still have problems if the content contains the closing tag \"]]>\" and certain hexadecimal characters, I believe. On the other hand, the XML parser would extract the info transparently for me. Which option should I choose? UPDATE: The xml will be created in java and passed as a string to a

How to remove html special chars?

穿精又带淫゛_ 提交于 2019-11-26 04:12:21
问题 I am creating a RSS feed file for my application in which I want to remove HTML tags, which is done by strip_tags . But strip_tags is not removing HTML special code chars:   & © etc. Please tell me any function which I can use to remove these special code chars from my string. 回答1: Either decode them using html_entity_decode or remove them using preg_replace : $Content = preg_replace("/&#?[a-z0-9]+;/i","",$Content); (From here) EDIT: Alternative according to Jacco's comment might be nice to

HtmlSpecialChars equivalent in Javascript?

对着背影说爱祢 提交于 2019-11-26 03:14:26
问题 Apparently, this is harder to find than I thought it would be. And it even is so simple... Is there a function equivalent to PHP\'s htmlspecialchars built into Javascript? I know it\'s fairly easy to implement that yourself, but using a built-in function, if available, is just nicer. For those unfamiliar with PHP, htmlspecialchars translates stuff like <htmltag/> into <htmltag/> I know that escape() and encodeURI() do not work this way. 回答1: There is a problem with your solution code--it will

A potentially dangerous Request.Form value was detected from the client

一笑奈何 提交于 2019-11-25 21:40:56
问题 Every time a user posts something containing < or > in a page in my web application, I get this exception thrown. I don\'t want to go into the discussion about the smartness of throwing an exception or crashing an entire web application because somebody entered a character in a text box, but I am looking for an elegant way to handle this. Trapping the exception and showing An error has occurred please go back and re-type your entire form again, but this time please do not use < doesn\'t seem
订阅 html-encode