Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.
What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?
If you mean sanitizing the user input, the only place you can do that safely is server-side. You can’t be sure that anything has been done client-side, it’s too easy to bypass client-side code.
It’s like data validation: It’s nice to do data validation (making sure key fields of a form are filled in with valid values, for instance) on the client because the immediate feedback makes for a good user experience, but doing so is not a substitute for doing it on the server, because it’s trivially easy to bypass the client-side validation.
But with sanitizing input, you don’t even want to try to do that client-side; assume it’s un-sanitized and sanitize it on the server.
In ASP.Net, if the input you’re sanitizing is a string you’re later going to display in an HTML page and you want to ensure that it doesn’t contain HTML tags of its own, you can use
HttpServerUtility.HtmlEncodeto encode the string (basically, turning<into<and such).