Secure form before sending

Question

User-284642143 posted

I have a quite a small form with couple of textboxes to accept free text.

Would it be correct to

1. Have all the textboxes to be decoded before the data is saved or event sent via email i.e.

var DescriptionofIssue = Server.HtmlDecode(txtIssue.Text);

2. HTMLEncode everything first then HTMLDecode before sending/saving?

Read a few articles but not entirely sure what the secure way would be.

Answer 1

User475983607 posted

HTML Encoding protects browser based applications from JavaScript injection.  If you trust the content the decoding is fine.  If you do not trust the content then encode.

Ultimately you are the only one that can make this decision because It depends on format and if you trust the content.  If the email is text then you'll want the decoded content.  If the email is HTML then the encoded should be fine.

Answer 2

User-284642143 posted

If you trust the content the decoding is fine.  If you do not trust the content then encode.

It depends on format and if you trust the content. 

If the email is text then you'll want the decoded content.  If the email is HTML then the encoded should be fine.

No i dont trust the content as it can be anyone that can enter text into the textbox.

The textbox would accept text and the email is set as HTML.

Judging by this i would imaging changing the above line to (Encode)

var DescriptionofIssue = Server.HtmlEncode(txtIssue.Text);

??

Answer 3

User475983607 posted

No i dont trust the content as it can be anyone that can enter text into the textbox.

The textbox would accept text and the email is set as HTML.

Judging by this i would imaging changing the above line to (Encode)

var DescriptionofIssue = Server.HtmlEncode(txtIssue.Text);

??

The first step is always validation which ASP.NET adds automatically.  But yes you'll want to encode the content to avoid JavaScript JavaScript injection.