To Use or Not To Use Server.HtmlEncode() for multi-national applications...

Question

User-102166584 posted
Ugh - I'm new to localization and having some serious issues supporting my out-of-USA languages...

For security purposes I'd like to Server.HtmlEncode() all the data that comes from the client. The problem is that this doesn't seem to work very well for international languages (it stores #206 instead of the characters; not all the applications that hit my database use HTML).

How do you handle security yet store the original/store characters? I'm using SQL Server unicode datatypes - that isn't the problem - the problem is how to handle this data from ASP.Net...

Answer 1

User1416329745 posted
Try the post below to Unicode encode in VS but you also need to do column level collation of all the langauges you support in SQL Server.  Run a search for Unicode collation in SQL Server BOL (books online).  Hope this helps.

http://forums.asp.net/1051194/ShowPost.aspx

Answer 2

User-102166584 posted

Thanks for the info - I have the SQL collations correctly setup already.
   How do you handle security yet store the original/store characters? I'm using SQL Server unicode datatypes - that isn't the problem - the problem is how to handle this data from ASP.Net...

Answer 3

User1416329745 posted
That part is covered in the link below.  Hope this helps.

http://www.aspnetresources.com/blog/unicode_in_vsnet.aspx

Answer 4

User-102166584 posted
I guess that I just don't understand how that article answers my question. I see no mention of using Server.HtmlEncode at all? My original question is something along the lines of how, when I use Server.HtmlEncode, I lose the international characters and I like to HtmlEncode the user data for security. The problem isn't the display of international characters in ASP.NET; that works fine for me. The question,  to distill it, is how to build a secure page yet still allow the international characters to be saved using Server.HtmlEncode.

By the way, I am using a hosted web server if that changes anything. I don't think it does but I  mention it just in case.

Thanks for the help - that's a great article :)  

Answer 5

User1416329745 posted

I am not sure if you will find specific encoding for a class you are supposed to use the Visual studio encoding for the front  end while column level collation is used for the database.  I have two possible solutions one SQL Server based and the other .NET based.  Try them to get started.  Hope this helps.

http://forums.asp.net/1054431/ShowPost.aspx

http://forums.asp.net/1060379/ShowPost.aspx

Answer 6

User-102166584 posted
??? Neither of those articles even touch on what I need and the first article you posted was interesting but not helpful either. I appreciate the help - I really do - but I fail to see how these articles answer my original question in the thread's title: Should I use Server.HtmlEncode for international applications or not?

Answer 7

User1416329745 posted
So sorry it took so long to get your answer we had weather problems anyway the answer is yes because this site the code base back in 2003 called Server.HtmlEncode on every user input.  The reason you may not have got your answer from Google was the method is called on Page_Load to If  IsPostBack  it is a tip in the book (Call the Server.HtmlEncode method on all user input before displaying it).  I also got MSDN code similar because the sample code from the book was just hello.  I am sorry again.  Hope this helps.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconpostbackdataprocessingsample.asp

http://msdn.microsoft.com/en-us/library/thh46856
 

Answer 8

User1424575140 posted

If I understand, the  problem is that HtmlEncode is encoding many of the characters as html entities such as é or ‚

Are you using it as a generic way to avoid bad user input? It is really only a way to make sure that user input doesn't become part of your web page when you re-display it.

Do you allow html input? or do you want it stripped out?


Are there already a lot of clients for the data?
Can you provide two properties; Text and Html?

Answer 9

User-102166584 posted
Finally...

Ok - good questions:

-- You understand the question correctly

> Are you using it as a generic way to avoid bad user input?
-- Yes, that is my intention but it is encoding the international characters as HTML as you listed

> Do you allow html input? or do you want it stripped out?
-- I do not accept HTML input and I have procedures in place to strip it out

> Are there already a lot of clients for the data? Can you provide two properties; Text and Html?
-- No - this is a new application so I can do what I want! And, since I don't accept HTML input, I only have to worry about text

Answer 10

User1424575140 posted
I don't think you need HtmlEncode, you  can use a regular expression or other text manipulation to strip any html tags and get just text.

HtmlEncode is really only meant for a situation when the user will enter some markup as plain text and you want to display his text as entered, not as part of your markup.


He enters "<b>Hello</b>" in a textbox, you want to display  "<b>Hello</b>" not "Hello"

Answer 11

User-102166584 posted
Thanks. I have procedures in place to strip out scripting/HTML so I'm just going to leave out the Server.HtmlEncode