Is there any need to use Html.Encode for an internal site?

I'm having some problems with Html.Encode and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any开发者_JAVA技巧 risk to not using Html.Encode? Is there any possiblity that someone would inadvertently submit some special characters which cause problems?

Or is there a better way around this problem?

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode

Yes, yes and yes again. There's always a risk by someone entering special characters in input fields. The golden rule of web development is never trust user input and always encode anything that might come from an user input.

Check everywhere you are calling Html.Encode as it sounds like you're double encoding your strings (possibly encoding on save and on display or encoding on a template/partial and encoding that again).

And yes always encode your strings even if it's internal, otherwise one disgruntled employee could cause some serious damage.

Firstly the characters are replaced by the html codes and so are not displayed properly

You are double encoding. You actually want to Html.Encode to display the HTML tags the user entered at all. Unless you actually want things like <ul><li> to be a bullet list instead of showing the tags.

And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.

Whatever you did to allow the initial submission of those, will work to allow edit. Again, maybe because of the double encoding, you are getting into further issues.

Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode?

Deep down You already know that way of seeing security is wrong ;)