AntiXSS - HtmlAttributeEncode usage

StackOverflow https://stackoverflow.com/questions/9318790

  •  30-04-2021
  •  | 
  •  

Question

I am trying to figure out the context in which HtmlAttributeEncode could be used -

I tried with simple 'Hello!' alert script to be set as control attribute, so I could see HtmlAttributeEncode in action - but can't see where I can use HtmlAttributeEncode instead of HtmlEncode.

So, for example, I have

- a textbox for user input 
  //txtuserInput.Text = <script>alert(document.cookie);</script>

- an anchor control to show user input being set as one of its attribute value 
  In codebehind tried with - 
     myanchorTag.InnerText = txtuserInput.Text
     or
     myanchorTag.Id = txtuserInput.Text

But I can't see this script running :-(
I have already tried that for TextBox.Text property but for that I can use HtmlEncode.

Can anyone please guide.

Thank you!

Was it helpful?

Solution

The asp:Textbox control automatically escapes the .Text property. See http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm

You should use HtmlAttributeEncode when using unescaped controls and when building raw html.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top