I have a client/server application (asp.net), which has a textarea which a user types

Question

Editorial Team

Asked: May 30, 20262026-05-30T01:26:18+00:00 2026-05-30T01:26:18+00:00

I have a client/server application (asp.net), which has a textarea which a user types in html elements+text.

the data being sent from client to server is via jQuery ajax POST. ( to ashx)

lets say the client type in:

<b> Hello </b>

so I :

1) encodeUriComponent the whole text.

2) Html Encode Special Chars ( like > <)

3) send this to the server

4) save in DB.

Question :

what is the prefered way of saving in db ?

With > <? or should I decode it and then save it?

(data should be presented to user, some time in the future…)

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-30T01:26:20+00:00

Editorial Team

POST the raw HTML input to your desired action
Use the [AllowHtml] attribute on the desired field of your model.
Use Microsoft’s Anti-XSS library to remove any javascript, etc (unless that’s intended).
Save raw HTML to your database, but be sure to use parameterized queries to prevent injection attacks.
Stop HTML Encoding everything. It looks terrible.

The Archive Base Latest Questions