I use Asp.Net 4, C# and MS SQL.
For my website I use MS default solution for preventing Cross-Site Scripting.
I’m also used to ENCODE all User’s Inputs in my logic so that this data can be stored ENCODED in my Data Base.
At the moment I’m using a GridView to do some basic CRUD operation but I’m facing a problem.
- CREATE: User can insert any inputs, my logic will ENCODE and save on Data Base.
- READ: The GridView can display the User’s Input from Data Base in a “Label” the result is DECODED thanks to the Properties for the Field “HtmlEnscape True or False.
- UPDATE: Here my problem! At time of editing the TextBox show up the User input from the DataBase Encoded (in this way was saved) but I would need to DECODED again to show it up to the User so can be edited in a friendly way and resaved.
My questions:
– How to do it?
– Because I have many TextBox in many pages in my application, how to centralize this behavior?
Thanks guys for your help!
Firstly I would say that you should never encode before storing in a database. You encode at the point of output – before you put it in a text box, or a grid or wherever.
This has a few advantages;
In the case of textbox the actual encoding depends on the type of textbox – a single line text box is attribute encoded, a multiline text box is HTML encoded, and using the text property of the asp.net textbox control encodes for you, using the correct method.
By storing “raw” HTML you remove the need to decode because the controls are encoding automatically for you, there is nothing for you to centralise.