In order to secure our
webapi application, we decided to encode and decode our data in order to avoid
xss attacks. We are doing this in our
Json contract resolver so this will happen for all the requests.
We've started to encode data like:
And we were decoding data like:
But I've read that for this tasks, the AntiXssEncoder is doing a better job, so we've replaced our encoding method with:
But the HttpEncoder.HtmlDecode inherited from the HttpEncoder) from this class is protected, so is it safe for the api to encode the dara using method from AntiXssEncoder, but decode it using WebUtility.HtmlDecode?
Is there a way to configure Json.Net to automatically encode all strings like
HtmlEncode(myString) when the model is serialized?
Given the following URL (working, try it!)
If you click on the link and go through to the payment page, the address in the address box is not displaying properly, the newline characters are displaying as text.
I've tried passing through
<br />'s but no luck, anyone got any ideas? I need to get the address to display with newlines.
Commas are OK as a separator but i would much prefer being able to have newlines. Thanks for any help! A working example will be the accepted answer.
I have a website which runs on PHP and a MySQL database. I was wondering how to best treat user input in regard to HTML encoding (I am well aware that I should store as received and decode in output: that's what I do) and this cycle in particular:
<input value="però">and when the user submits it the server will receive
Now my question is: should the server decode all the received inputs so that
però gets decoded to the original
My doubt is that this would mean that if an user inputs
è as his username it will be registered as
è and not as he actually intended...
I know this is not such a big problem (don't know of many users which would want to use HTML special characters encoding literals in their usernames...), but it puzzled me and I could not find a completely satisfying solution.
I'm trying to protect myself from sql injection and am using:
When posting HTML it looks something like this:
<span class="\"className\""><p class="\"pClass\"" id="\"pId\""></p></span>
I'm not sure how many other variations real_escape_string adds so don't want to just replace a few and miss others... How do I "decode" this back into correctly formatted HTML, with something like: