Every time a user posts something containing
> in a page in my web application, I get this exception thrown.
I don't want to go into the discussion about the smartness of throwing an exception or crashing an entire web application because somebody entered a character in a text box, but I am looking for an elegant way to handle this.
Trapping the exception and showing
An error has occurred please go back and re-type your entire form again, but this time please do not use <
doesn't seem professional enough to me.
Disabling post validation (
validateRequest="false") will definitely avoid this error, but it will leave the page vulnerable to a number of attacks.
Ideally: When a post back occurs containing HTML restricted characters, that posted value in the Form collection will be automatically HTML encoded.So the
.Text property of my text-box will be
something & lt; html & gt;
Is there a way I can do this from a handler?
I've got a single dependency on jQuery that I don't want, and need a browser-safe method to decode server-side html encoded content.
The effect I'm going for is to replace an existing DOM element with the the html that gets decoded, along the following lines:
value contains an html-encoded string.
Alternatively, an more direct approach would also be welcome.
I would like to see HTML in the Kendo UI Editor like
How can i do these?
I'm trying to protect myself from sql injection and am using:
When posting HTML it looks something like this:
<span class="\"className\""><p class="\"pClass\"" id="\"pId\""></p></span>
I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like:
What should be done against contents of href attribute: HTML or URL encoding?
<a href="???">link text</a>
On the one hand, since href attribute contains URL I should use URL encoding. On the other hand, I'm inserting this URL into HTML, so it must be HTML encoded.
Please help me to overcome this contradiction.
Here's the contradiction. Suppose there might be the '<' and '>' characters in the URL. URL encoding won't escape them, so there will be reserved HTML characters inside the href attribute, which violates the standard. HTML encoding will escape '<' and '>' characters and HTML will be valid, but after that there will be unexpected '&' characters in the URL (this is reserved character for URL, it's used as a delimiter of query string parameters).
I was wrong about '<' and '>' characters, they are actually percent escaped by URL encoding. If so, URL encoding is sufficient in this case, isn't it?