In this post I am going to show how you can avoid inserting malicious code into your html, database ... if you are get user input from forms. For this example, in aspx file I am going to use the following controls:
<asp:TextBox ID="tbText" runat="server" TextMode="MultiLine" Width="250px" Height="150px" />
<br /><br />
<asp:Button ID="btnSend" runat="server" Text="Paste into code" />
<br /><br /><br />
<asp:Label ID="lblText" runat="server" />
very simple.
In code-behind will put the following:
Protected Sub btnSend_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnSend.Click
Dim txt As String = tbText.TextDim writer As New System.IO.StringWriter
Server.HtmlEncode(txt, writer)
lblText.Text = writer.ToString
End Sub
Herein I am using the "Server.HtmlEncode" object to encode the users input so for example it contains something like this <script>Alert("Hi there!");</script> it won't popup, in other words you are protected from cross-script attack. I forgot to tell you about one more essential thing.
In your aspx file in @Page declaration you have to set like this
<%
@ Page Language="VB" ValidateRequest="false" ...........
That way the runtime protection mechanisum will be turned off and you will be able to use this functionality and to avoid this message:
A potentially dangerous Request.Form value was detected from the client (tbText="<script>").
And the last thing to remember is to validate all information that you get from user.
Cheers
Thank you for your question. Here is the answer:
The difference in using object is HTML-encodes a string and sends the resulting output to a TextWriter output stream. StringWriter is an implementation of TextWriter.