Published: 27 Oct 2006
By: Peter Kellner

This article gives a step by step method solution to display securely HTML in ASP.NET 2.0.

Introduction

It is often required to let users upload textual data that will later be displayed by a web browser. A perfect example of this case is the interface created for the code camp website where presenters need to upload a description of their presentation. Since what the user is entering will ultimately be displayed in a web browser by a different user, it is important not to let certain tags such as <script></script> be rendered. The reason is that if the user were to input the following text:

The result would be that when some unsuspecting user goes to that page, they will see a "hello" dialog pop up on their screen. Even worse, they may find cookies stolen, nasty redirections or other malicious behavior caused by this executing javascript. The solution to this problem is to keep bad tags from ever being sent to the client's browser. This article gives a step by step method for doing this successfully.

The Solution

The solution is to store the information the user typed into the browser as encoded text. That is, things like <script></script> will be automatically turned into something that looks like the following.

The benefit of this is that if this information is redisplayed in the browser it will show exactly as it is above. The tags above will not actually cause any code to be executed in the browser. The problem then becomes what if you want some of the tags such as <p></p>, <b></b> or <i></i> to be rendered as tags? No problem, just some simple String.Replace commands and you are back in business.

So, as promised, here is the step by step.

First, when saving the string to the database, use the following expression.

Then, write a small function that will take the encoded string and only fix the tags you are interested such as paragraph, bold and italics. Here is a sample function used for that process.

To use the function, you would populate a Label control as follows:

Then, you would put a function in your codebehind that calls ConvertEncodedHTMLToRealHTML as follows:

Conclusion

You now have a safe way to store full html in your database and display it safely. This method only displays certain html tags. You can of course expand the set of tags it stores as well use other methods to make the html safe to execute. The method presented here is just one very simple method.

That is it! You now have a safe way to store html in your database and then redisplay it.

<<  Previous Article Continue reading and see our next or previous articles Next Article >>

About Peter Kellner

Sorry, no bio is available

View complete profile here.

Other articles in this category


JavaScript with ASP.NET 2.0 Pages - Part 1
ASP.NET 2.0 has made quite a few enhancements over ASP.NET 1.x in terms of handling common client-si...
ASP.NET ComboBox
The ASP.NET ComboBox is an attempt to try and enhance some of the features of the Normal ASP.NET Dro...
Upload multiple files using the HtmlInputFile control
In this article, Haissam Abdul Malak will explain how to upload multiple files using several file up...
JavaScript with ASP.NET 2.0 Pages - Part 2
ASP.NET provides a number of ways of working with client-side script. This article explores the usag...
Using WebParts in ASP.Net 2.0
This article describes various aspects of using webparts in asp.net 2.0.

You might also be interested in the following related blog posts


How to create a DropDownList with ASP.NET MVC read more
Rich Tooltips With jQuery read more
LINQ to SQL, Lazy Loading and Prefetching read more
Html Encoding Code Blocks With ASP.NET 4 read more
WebAii Testing Framework: From HTML to XAML and Back -- RadHtmlPlaceholder read more
On the Fly DropDown Editing with jQuery read more
Take Caution with WinForms DataGridView RowPrePaint read more
Reporting Release History : Q2 2009 SP1 (version 3.1.9.807) read more
Customizing the SharePoint ECB with Javascript, Part 2 read more
Did you know about protocol-relative hyperlinks? read more
Top
 
 
 

Please login to rate or to leave a comment.