Wrox Programmer Forums

Need to download code?

View our list of code downloads.
Go Back   Wrox Programmer Forums > ASP.NET and ASP > Other ASP.NET > BOOK: Beginning ASP.NET Security
Reload this Page Ajax FilteredTextBoxExtender suppresses the need to use HtmlEncode?
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET Security
This is the forum to discuss the Wrox book Beginning ASP.NET Security by Barry Dorrans; ISBN: 978-0-470-74365-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET Security section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old December 27th, 2010, 09:44 AM
Registered User
  
Join Date: Dec 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ajax FilteredTextBoxExtender suppresses the need to use HtmlEncode?
Hi all!

I was just wondering : I'm building a website and I am using the Ajax Toolkit's FilteredTextBoxExtender on my textboxes which receives input from the user.

The filteredtextboxextender is set to ignore for instance these signs: <>[]{}.

My question is :

Is it best practice to still use HtmlEncode on the input just to be sure (although no evil hackerscripts beginning with i.e '<script>','<img>' could enter this way) ?

Or can the use of HtmlEncode in these cases be left out ?


Greetings to all developers:
AjoMan
Reply With Quote
  #2 (permalink)  
Old December 28th, 2010, 12:48 PM
Wrox Author
Points: 39, Level: 1
Points: 39, Level: 1 Points: 39, Level: 1 Points: 39, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default
I'd say yes, as you're not filtering ampersands, or \0x character literals, or a few of the other ways of trying to embed <> signs in order to run scripts.

Encoding at the point of rendering won't hurt, and becomes part of defence in depth.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ajaxtoolkit FilteredTextBoxExtender Komila .NET Framework 2.0 3 March 14th, 2008 12:25 AM
HTMLEncode and DataFormatString Exceptions wirerider ASP.NET 2.0 Basics 1 October 4th, 2006 07:53 PM
Type mismatch: 'htmlEncode' nlpatel78 Classic ASP Basics 1 March 3rd, 2005 05:39 AM
HtmlEncode method of Server object bekim C# 4 June 27th, 2004 01:38 PM



All times are GMT -4. The time now is 06:23 PM.

Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.