Do we need to use HttpUtility.HtmlEncode for Resources to prevent XSS?
We need to use HttpUtility.HtmlEncode on our website. Do we need to use it for Resources? Is there any potential thre开发者_如何转开发at?
<%=HttpUtility.HtmlEncode(Resources.MyResourceString)%>
If your resources are HTML, then don't reencode them. If they're text, then HtmlEncode them.
If your resources are just plain old text (i.e. could contain raw ampersands or angle brackets), then even if you don't open up an XSS hole, you still need to HtmlEncode them so that you'll generate valid HTML.
If your resources come from a known-safe source (which I suspect they do), then you don't need to do that, no.
Not to prevent cross-site scripting - that is, unless your users have access to the resources for your application and can insert something malicious!
精彩评论