Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > Other ASP.NET > BOOK: Beginning ASP.NET Security
| Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET Security
This is the forum to discuss the Wrox book Beginning ASP.NET Security by Barry Dorrans; ISBN: 978-0-470-74365-2
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET Security section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old December 27th, 2010, 10:44 AM
Registered User
 
Join Date: Dec 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ajax FilteredTextBoxExtender suppresses the need to use HtmlEncode?

Hi all!

I was just wondering : I'm building a website and I am using the Ajax Toolkit's FilteredTextBoxExtender on my textboxes which receives input from the user.

The filteredtextboxextender is set to ignore for instance these signs: <>[]{}.

My question is :

Is it best practice to still use HtmlEncode on the input just to be sure (although no evil hackerscripts beginning with i.e '<script>','<img>' could enter this way) ?

Or can the use of HtmlEncode in these cases be left out ?


Greetings to all developers:
AjoMan
  #2 (permalink)  
Old December 28th, 2010, 01:48 PM
Wrox Author
Points: 39, Level: 1
Points: 39, Level: 1 Points: 39, Level: 1 Points: 39, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2010
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default

I'd say yes, as you're not filtering ampersands, or \0x character literals, or a few of the other ways of trying to embed <> signs in order to run scripts.

Encoding at the point of rendering won't hurt, and becomes part of defence in depth.


Similar Threads
Thread Thread Starter Forum Replies Last Post
ajaxtoolkit FilteredTextBoxExtender Komila .NET Framework 2.0 3 March 14th, 2008 12:25 AM
HTMLEncode and DataFormatString Exceptions wirerider ASP.NET 2.0 Basics 1 October 4th, 2006 07:53 PM
Type mismatch: 'htmlEncode' nlpatel78 Classic ASP Basics 1 March 3rd, 2005 06:39 AM
HtmlEncode method of Server object bekim C# 4 June 27th, 2004 01:38 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.