Hi all!

I was just wondering : I'm building a website and I am using the Ajax Toolkit's FilteredTextBoxExtender on my textboxes which receives input from the user.

The filteredtextboxextender is set to ignore for instance these signs: <>[]{}.

My question is :

Is it best practice to still use HtmlEncode on the input just to be sure (although no evil hackerscripts beginning with i.e '<script>','<img>' could enter this way) ?

Or can the use of HtmlEncode in these cases be left out ?


Greetings to all developers:
AjoMan

I'd say yes, as you're not filtering ampersands, or \0x character literals, or a few of the other ways of trying to embed <> signs in order to run scripts.

Encoding at the point of rendering won't hurt, and becomes part of defence in depth.