Home/ Questions/Q 880439
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T12:05:54+00:00

I want to see if my encoding is working however the example I made

  • 0

I want to see if my encoding is working however the example I made just reverts back to non encoded after it goes back to the page.

<a href="http://search.msn.com/results.aspx%3fq%3dIamBad">Click Here!</a>

Turns back into

<a href="http://search.msn.com/results.aspx?q=IamBad">Click Here!</a>

Edit

UrlEncode Untrusted input is used in a
URL (such as a value in a
querystring) Click
Here!

http://msdn.microsoft.com/en-us/library/aa973813.aspx

So my question is I am trying to see if something is not working right(ie why does it make the query string part look normal again).

Is it because the query string contains nothing really out of the ordinary. Or is something re encoding it back to its original form?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You simply do not redisplay inputs from a user that come in via a form submission or through the query string, either redisplaying it to that user directly or storing it in a database that would then display it to other users of the site.

    Say you have a hyperlink like this 

    /default.aspx?message=%3cscript%3ealert('Hello+world')%3b%3c%2fscript%3e

    What you do not want to do is this 

    string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = message;

    Because what would happen is that when that when the page loads, the user is going to see a message box pop up on screen. All this script produces is a stupid little message box, but it could be doing other malicious things to your users.

    Instead, you want to encode the input before displaying it, so it becomes something harmless. 

    string message = Request.QueryString["message"];
if (!string.IsNullOrEmpty(message))
    directlyDisplayedLiteral.Text = Server.HtmlEncode(message);

    So all that happens is that <script>alert('Hello world');</script> is written to the screen, which is actually &lt;script&gt;alert('Hello world');&lt;/script&gt; in HTML. There’s no message box, no script actually executing, it’s just benign text on a screen.

    • 0