c# - Using HttpUtility.HtmlEncode and handling special characters/umlaut etc -

-

I use HttpUtility.HtmlEncode to sanitize user input to prevent XSS attacks. I am doing My problem is that it converts HtmlEncode special codes such as ü to their html equivalent code. I know what it does and does not encode. Then I need HtmlDecode to display it back to the user properly ü

2 question:

  • How to HtmlEncode determines that it is not ü and other Unicode characters like standard Greek alphabet characters. Does HtmlEncode encode all non ascii characters? What is the best way to stop script tags but allow special characters such as umlauts without a special unknown list?

  • Exposes a risk by using HtmlDecode This is potentially changing the malicious javascript

    1. HTMLEncode () is the main thing:
      1. it handles any such characters Which are not part of the default 127 ASCI characters.
      2. It encodes the character, which can be interpreted incorrectly by the browser as valid HTML, CSS or Javascript, to prevent both webpage crashed and deliberately.
    2. Is it dangerous to use? Everything can be dangerous to use it, depending on how you use it, the question is not as much as "are you decoding"? Rather, "Are you decoding user data?" What you do with the result can definitely be dangerous to use, even by displaying it in the client, XSS may be the reason.

    The FAR to be told about encoding and decoding is high, which I can write here, and people have consolidated it in front of me that I can tell you I can That's what XSS is and how you can stop it.


    Comments

    Post a Comment

    Popular posts from this blog

    HTML/CSS - Automatically set height width from background image? -

    -
    Long time ... I do not think it's possible, but I'm shocked before! I tag anchor tags, all of which are background images, all 300px wide but their height is all the difference, is it really set to do without typing altitude? Is it to set the dimensions of BG URL? Thank you! I do not think people understand - my mistake is to hurry the question. Here is the code as an example: # ago -1 {width: 300px; Height: 410px; Background: url ('/ image-1.jpg');} # East -2 {width: 300px; Height: 420px; Background: url ('/ image-2.jpg');} # Pre-3 {width: 300px; Height: 430px; Background: url ('/ image-3.jpg');} # Pre-4 {width: 300px; Height: 440px; Background: url ('/ image-3.jpg');} & lt; A href = "#" id = "ex-1" & gt; & Lt; / A & gt; & Lt; A href = "#" id = "ex-2" & gt; & Lt; / A & gt; & Lt; A href = "#" id = "pre-3" & gt; & Lt; / A & gt...
    Read more

    php - Mysql Show Process - Sleep Commands and what to do -

    -
    I am thinking that there is something that I can do better so that my process list should start with the command with MySQL Be clear Currently I am looking for a lot: 17325 user_a localhost db_1 sleep 1132 NULL 17464 user_a localhost db_1 sleep 1124 NULL 17983 user_a localhost db_1 sleep 1078 null 18113 user_a localhost db_1 sleep 1068 NULL 18207 user_a localhost db_1 sleep 1060 NULL 18231 user_a localhost db_1 sleep 1058 NULL 18353 user_a localhost db_1 sleep 1047 NULL 18447 user_a localhost db_1 sleep 1040 null 18489 user_a localhost db_1 sleep 1036 NULL 23408 user_a localhost db_1 sleep 637 NULL Something in my phpscript is that I want to clean it Can i The script looks like: Select the ID from $ q = 'db_1 where fkId = 2'; $ Ar = mysql_query ($ q); ($ Line = mysql_fetch_array ($ qr)) {echo ($ row ['id'];} Thanks in advance! I'm guessing that when you have 10 threads, you're constantly using the connectio...
    Read more

    c - What is the address of buf (the local variable in the main function)? -

    -
    I had exercise with programming in c or classes and I followed the question: Is Buf (local variable in main function)? Either enter the answer in hexadecimal format (like 0x 8 "digits" 0-9 or A-F, 0xbfff0014) or in decimal format. Note here that we want the address of the buff, not its content. The code looks like this: int main (int argc, char * argv []) {while (1) {four buff [1024] = {0}; Int r; .... I then started the code and put the built code in the buff [1024] line and in Typed Gdb p & amp; Buf and it gives me results: 0xbffff0f0 But when I use it in this quiz it gives me the result that this value is wrong. My question is this: Is this the name of the Buff variable (P & E)? Or if not, why not? Exercise is done on the virtualbox machine, so I think everyone should be the same address There is no correct numerical answer, the address may vary from one time to another, it is a programming drill that you say the following three...
    Read more