问题
I have to encode a field so to make it secure of script injection.
I know I can use HttpUtility.HtmlEncode and Decode, but this method for HI-ASCII characters goes out of the range of the field size in database and I dont want to change the size of data field column.
Instead if I use HttpUtility.HtmlAttributeEncode, it works fine because it does not encode the HI-ASCII characters.
Is it safe what can be the disadvantages of it.
回答1:
From HttpUtility..::.HtmlAttributeEncode Method (String):
The HtmlAttributeEncode method converts only quotation marks ("), ampersands (&), and left angle brackets (<) to equivalent character entities. It is considerably faster than the HtmlEncode method.
The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes.
However it is not a usual practice to store the encoded input in the database. It is difficult to predict how much longer an encoded version will become.
Much better is directly store the input, and only encode it when needed (when you output it in HTML).
回答2:
Storing data without encoding may cause SQL injection.
来源:https://stackoverflow.com/questions/2463251/disadvantage-of-httputility-htmlattributeencode