none
Encoded data is getting decoded automatically while binding it with controls. RRS feed

  • Question

  • Hi,

    I am encoding malicious characters while saving it to DB. 

    But these encoded text is getting decoded again while binding it with controls like LoginView, Repeater.

    Is there any solution to avoid decoding?

    Regards,

    Durgesh

    Tuesday, December 31, 2019 7:56 AM

All replies

  • Hi Durgesh More,

    Thank you for posting here.

    Based on your description, I try to make a test on my side, but I need more information.

    Could you provide some related code that can help us to reproduce your problem here ?

    We are waiting for your update.

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 31, 2019 8:37 AM
  • Hi Xingyu Zhao,

    I am encoding malicious user input e.g. <, >

    After encoding value of "<" will be "&lt", so whenever I am trying to bind this value to control's like repeater, LoginView it is getting decoded to actual value i.e. "<". but I don't want to decode that value as it may contain malicious things which may impact our application.

    Regards,

    Durgesh

    Tuesday, December 31, 2019 8:57 AM
  • Hi Durgesh More,

    Thanks for your feedback.

    >>But these encoded text is getting decoded again while binding it with controls like LoginView, Repeater.

    Could you provide some code about 'binding text with controls' ? It will help us to make a test.

    Thank you for your understanding, and I look forward to hearing from you.

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Tuesday, December 31, 2019 9:08 AM
  • Hi Xingyu Zhao,

    Below is the code for LoginView were I am using C# function "WelcomeMessage()" which is returning encoded value from database i.e. "&it"

    <asp:LoginView runat="server">
                            <LoggedInTemplate>
                                <div class="header-profile-menu-sec">
                                    
                                        <img src="/assets/media/facelift/icon-account.svg" />
                                        <span><%= WelcomeMessage() %></span>
                                    
                                </div>
                            </LoggedInTemplate>
     </asp:LoginView>

    Tuesday, December 31, 2019 9:16 AM
  • Try this:

       <%: WelcomeMessage( ) %>

    or this:

       <%= Server.HtmlEncode(WelcomeMessage( )) %>

    • Edited by Viorel_MVP Tuesday, December 31, 2019 2:49 PM
    Tuesday, December 31, 2019 2:48 PM
  • Hi Durgesh More,

    AS viorel said,  you can try to use Server.HTMLEncode Method to  convert potentially unsafe characters to their HTML-encoded equivalent. it can convert encoded  string to DBCS.

    More information about the use of use Server.HTMLEncode Method you can refer to this link:

    Server.HTMLEncode Method

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, January 2, 2020 3:08 AM
  • Hi Xingyu Zhao,

    Thank you for your response !!!

    I have already encoded unsafe data entered by user and saved it in database, but it is getting decoded at the time of binding it to specific type of controls like Repeate, LoginView.

    So My question was how to avoid this unwanted decoding?

    Regards,

    Durgesh

    Thursday, January 2, 2020 12:35 PM
  • Hi Durgesh More,

    As far as I know, automatic decoding cannot be disabled in asp.net.

    I think the best way is to use Server.HTMLEncode method to apply HTML encoding to a specified string.

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, January 6, 2020 1:36 AM
  • Hi Xingyu Zhao,

    Thank you for your reply!!!!

    Is it default behavior of some ASP.NET controls to decode encoded text?

    Best Regards,

    Durgesh More

    Monday, January 6, 2020 7:22 AM
  • Hi Durgesh More,

    >> Is it default behavior of some ASP.NET controls to decode encoded text?

    No, I don’t know why your control decode automatically.

    Could you share your code and data with me that can reproduce your question?

    And this is a asp.net question, I suggest you can post your question in the ASP.NET forum for better help.

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Monday, January 6, 2020 9:04 AM