Server.HtmlEncode on ASPX page for TextArea size


I have a question and I'm not sure what the best tact is for this.

I have a TextArea input on a page. This textarea has a maxsize of 500 characters.

<asp:TextBox ID="TxtOther" Width="530px" TextMode="MultiLine" Style="word-wrap: break-word;
                                            height: 300px; overflow: auto; vertical-align: top"                                             runat="server" AutoComplete="off" MaxLength="500" />

Now, the bad thing is on the code-behind it will take the text entered and do a Server.HtmlEncode of of.

The situation is this (for example): the user can enter like 499 characters in the textarea and that  that includes a "<" sign. Obviously, the < when encoded with have the &lt. That puts the length of the text entered greater than 500.

How can I have the code on the client-side encode the text entered to validate that it's still less than 500 after the encoding? I am willing to just truncate whatever is over 500 characters.

What are the best approaches?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy PooleCommented:
I am assuming your storing this in a DB.  In reality the best way to handle this would be to increase the size of your database field which is holding this text.
davismAuthor Commented:
Yes, eventually it will go into a DB. But I cannot change that.

So, what other means on the non-DB side between code-behind and aspx can this be done?

I have tried client-side htmlencoding schemes but they do not all appear to function or provide the same output as the Server.htmlencode.
Randy PooleCommented:
This is not making sense. Normally the control will encode the text before sending it to the code behind then decode it so you can read it.  Which means that when you get it the text should be a max of what ever you have the textarea declared as.   You would then store the text in the database as decoded.  What am I missing here.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

davismAuthor Commented:
Actually it does. I have never heard of it automatically encoding.

If I use the example:

"This is a test. I will pass a sentence with multiple characters. You will see “.”’s in here and I have also done a ,. There will be a time when I need to do an < sign as well." (remove the first and last double quote.)

In the TxtOther.Text in the code-behind I have exactly what is displayed.

I have to run the Server.HtmlEncode(TxtOther.Text). when I execute that I get:

"This is a test. I will pass a sentence with multiple characters. You will see “.”’s in here and I have also done a ,. There will be a time when I need to do an &lt; sign as well." (again, remove the first and last double quote.)

Albeit, I a surprised it didn't change the double-quote to an encoded value.
Gary DavisDir Internet SvcsCommented:
The correct way would be to store the data in the database un-HtmlEncoded and when displayed to the user, HtmlEncode at that time.

Another route would be a javascript count-down that displays and limits the characters entered in the textarea. Subtract 1 for each character except for <, > & and " where you would subtract the length of the encoded character. Better would be to use the JavaScript or jquery HtmlEncode-equivalent and get the length to see if the max has been reached - do this for each character and encode for the total current string.
davismAuthor Commented:
Gary, I tried that some of the htmlencoding for javascript on the clientside. The bad thing is that so many I have seen actually address the encodings in different ways for special characters like double quotes and so on.

I need something on the client-side that will encode exactly as the Server.htmlencode is doing.  If you know of one please share as that may help. BUT yet  and client-side encoding could also be a risk.

"The correct way would be to store the data in the database un-HtmlEncoded and when displayed to the user, HtmlEncode at that time." I cannot necessarily agree with that and definitely wouldn't htmlencode as would that not be an htmldecode? But none-the-less, it's all deterministic on the reason for the information in the DB and what the audience is of it. If it's exclusively and how it was done in the paste. You cannot change if it was done where everything is encoded and stored in the DB. Then decoded when either displayed on the rendering of the page of whatever other output means.
Gary DavisDir Internet SvcsCommented:
You should not have to HtmlDecode anywhere. When your page receives the contens of the textarea, it will be normal unencoded text. Save that in the table, the max lengh should not be exceeded.

Later, you pull the data out of the database and display it to the user. If you want to display the message as entered, it will have to be HtmlEncoded so brackets, ampersands and double quotes display correctly. If the data is to be displayed as Html (you allow the user to enter html into the text area), you would not HtmlEncode it but I don't think that is what you are doing.

HtmlDecoding is done by the browser for you so you don't need to be concerned with that process (usually).
davismAuthor Commented:
It's actually used quite heavily in this project. Again, I inherited it and really change it. I would not have agreed with encoding it at all and storing it. As mentioned that is a known risk. The good thing is that it's all done server-side.

What is happening is that when it's storing it is when it's being encoded and when it's rendered back to the user it's decoded.

I need to follow that same paradigm, even as much as I disagree with it and how it's done. Hence, the reason for the question. So, circling back to the original question. How can I do the Server.htmlencoding on the the client so the encoded length is the same as what it will be as the server encoded has or will have?
>I am willing to just truncate whatever is over 500 characters.

If you are, that's the easiest option. HTML encode on server and only take 500 characters out of the resulting string to store in DB.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davismAuthor Commented:
Yeah, is just that what I was trying to do was, with any encoding on the client side, it was not going to take any more due to the length (with the conversion) if it's over 500 - even though I was going to truncate it to 500 anyway.
davismAuthor Commented:
Thanks for the information. The encoding was too variable on the client-side and I resorted to using the server-side but also brought up the fact that we should not be doing the encoding to store the information the database.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.