?
Solved

Server.HtmlEncode on ASPX page for TextArea size

Posted on 2014-07-12
11
Medium Priority
?
900 Views
Last Modified: 2014-07-18
Hi,

I have a question and I'm not sure what the best tact is for this.

I have a TextArea input on a page. This textarea has a maxsize of 500 characters.

<asp:TextBox ID="TxtOther" Width="530px" TextMode="MultiLine" Style="word-wrap: break-word;
                                            height: 300px; overflow: auto; vertical-align: top"                                             runat="server" AutoComplete="off" MaxLength="500" />

Now, the bad thing is on the code-behind it will take the text entered and do a Server.HtmlEncode of of.

The situation is this (for example): the user can enter like 499 characters in the textarea and that  that includes a "<" sign. Obviously, the < when encoded with have the &lt. That puts the length of the text entered greater than 500.

How can I have the code on the client-side encode the text entered to validate that it's still less than 500 after the encoding? I am willing to just truncate whatever is over 500 characters.

What are the best approaches?
0
Comment
Question by:davism
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 21

Expert Comment

by:Randy Poole
ID: 40192220
I am assuming your storing this in a DB.  In reality the best way to handle this would be to increase the size of your database field which is holding this text.
0
 
LVL 1

Author Comment

by:davism
ID: 40192238
Yes, eventually it will go into a DB. But I cannot change that.

So, what other means on the non-DB side between code-behind and aspx can this be done?

I have tried client-side htmlencoding schemes but they do not all appear to function or provide the same output as the Server.htmlencode.
0
 
LVL 21

Expert Comment

by:Randy Poole
ID: 40192247
This is not making sense. Normally the control will encode the text before sending it to the code behind then decode it so you can read it.  Which means that when you get it the text should be a max of what ever you have the textarea declared as.   You would then store the text in the database as decoded.  What am I missing here.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:davism
ID: 40192259
Actually it does. I have never heard of it automatically encoding.

If I use the example:

"This is a test. I will pass a sentence with multiple characters. You will see “.”’s in here and I have also done a ,. There will be a time when I need to do an < sign as well." (remove the first and last double quote.)

In the TxtOther.Text in the code-behind I have exactly what is displayed.

I have to run the Server.HtmlEncode(TxtOther.Text). when I execute that I get:

"This is a test. I will pass a sentence with multiple characters. You will see “.”’s in here and I have also done a ,. There will be a time when I need to do an &lt; sign as well." (again, remove the first and last double quote.)

Albeit, I a surprised it didn't change the double-quote to an encoded value.
0
 
LVL 18

Assisted Solution

by:Gary Davis
Gary Davis earned 1200 total points
ID: 40192289
The correct way would be to store the data in the database un-HtmlEncoded and when displayed to the user, HtmlEncode at that time.

Another route would be a javascript count-down that displays and limits the characters entered in the textarea. Subtract 1 for each character except for <, > & and " where you would subtract the length of the encoded character. Better would be to use the JavaScript or jquery HtmlEncode-equivalent and get the length to see if the max has been reached - do this for each character and encode for the total current string.
0
 
LVL 1

Author Comment

by:davism
ID: 40192302
Gary, I tried that some of the htmlencoding for javascript on the clientside. The bad thing is that so many I have seen actually address the encodings in different ways for special characters like double quotes and so on.

I need something on the client-side that will encode exactly as the Server.htmlencode is doing.  If you know of one please share as that may help. BUT yet  and client-side encoding could also be a risk.

"The correct way would be to store the data in the database un-HtmlEncoded and when displayed to the user, HtmlEncode at that time." I cannot necessarily agree with that and definitely wouldn't htmlencode as would that not be an htmldecode? But none-the-less, it's all deterministic on the reason for the information in the DB and what the audience is of it. If it's exclusively and how it was done in the paste. You cannot change if it was done where everything is encoded and stored in the DB. Then decoded when either displayed on the rendering of the page of whatever other output means.
0
 
LVL 18

Assisted Solution

by:Gary Davis
Gary Davis earned 1200 total points
ID: 40192317
You should not have to HtmlDecode anywhere. When your page receives the contens of the textarea, it will be normal unencoded text. Save that in the table, the max lengh should not be exceeded.

Later, you pull the data out of the database and display it to the user. If you want to display the message as entered, it will have to be HtmlEncoded so brackets, ampersands and double quotes display correctly. If the data is to be displayed as Html (you allow the user to enter html into the text area), you would not HtmlEncode it but I don't think that is what you are doing.

HtmlDecoding is done by the browser for you so you don't need to be concerned with that process (usually).
0
 
LVL 1

Author Comment

by:davism
ID: 40192325
It's actually used quite heavily in this project. Again, I inherited it and really change it. I would not have agreed with encoding it at all and storing it. As mentioned that is a known risk. The good thing is that it's all done server-side.

What is happening is that when it's storing it is when it's being encoded and when it's rendered back to the user it's decoded.

I need to follow that same paradigm, even as much as I disagree with it and how it's done. Hence, the reason for the question. So, circling back to the original question. How can I do the Server.htmlencoding on the the client so the encoded length is the same as what it will be as the server encoded has or will have?
0
 
LVL 83

Accepted Solution

by:
CodeCruiser earned 400 total points
ID: 40194142
>I am willing to just truncate whatever is over 500 characters.

If you are, that's the easiest option. HTML encode on server and only take 500 characters out of the resulting string to store in DB.
0
 
LVL 1

Author Comment

by:davism
ID: 40194545
Yeah, is just that what I was trying to do was, with any encoding on the client side, it was not going to take any more due to the length (with the conversion) if it's over 500 - even though I was going to truncate it to 500 anyway.
0
 
LVL 1

Author Closing Comment

by:davism
ID: 40205639
Thanks for the information. The encoding was too variable on the client-side and I resorted to using the server-side but also brought up the fact that we should not be doing the encoding to store the information the database.

Thanks!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month16 days, 20 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question