开发者

Disadvantage of HttpUtility.HtmlAttributeEncode

I have to encode a field so to开发者_StackOverflow社区 make it secure of script injection.

I know I can use HttpUtility.HtmlEncode and Decode, but this method for HI-ASCII characters goes out of the range of the field size in database and I dont want to change the size of data field column.

Instead if I use HttpUtility.HtmlAttributeEncode, it works fine because it does not encode the HI-ASCII characters.

Is it safe what can be the disadvantages of it.


From HttpUtility..::.HtmlAttributeEncode Method (String):

The HtmlAttributeEncode method converts only quotation marks ("), ampersands (&), and left angle brackets (<) to equivalent character entities. It is considerably faster than the HtmlEncode method.

The string result from the HtmlAttributeEncode method should be used only for double-quoted attributes. Security issues might arise when using the HtmlAttributeEncode method with single-quoted attributes.

However it is not a usual practice to store the encoded input in the database. It is difficult to predict how much longer an encoded version will become.

Much better is directly store the input, and only encode it when needed (when you output it in HTML).


Storing data without encoding may cause SQL injection.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜