How to handle encoded inputs that need to be edited?
Using Microsoft AntiXssLibrary, how do you handle input that needs to be edited later?
For example:
The user enters: <i>title</i>
Saved in the database as: <i>title</i>
The edit page displays the following in the textbox <i>title</i>
because I coded it before displaying it in the textbox.
The user doesn't like this.
Is it ok to code when writing to an input control?
Update:
I am still trying to figure it out. The answers below say to decode the string before displaying it, but wouldn't that allow XSS attacks?
One user who said decoding a string in an input field value is ok was downvoted.
source to share
It looks like you are coding it more than once. In ASP.NET, using Microsoft AntiXss Library, you can use the HtmlAttributeEncode method to encode untrusted input:
<input type="text" value="<%= AntiXss.HtmlAttributeEncode("<i>title</i>") %>" />
As a result
<input type="text" value="<i>title</i>" />
<i>title</i>
an input field.
source to share
If you allow users to enter HTML, which will then be displayed on the site, you need to do more than just encode and decode it.
Using AntiXss prevents attacks by converting script and markup to text. It does nothing to "clean up" the markup to be displayed directly. You will have to manually remove script tags etc. From user input to be completely protected in this scenario.
You will need to strip out script tags as well as JavaScript attributes for legal elements. For example, an attacker could inject malicious code into the onclick or onmouseover attributes.
source to share