How do I use HTML encoding?

Michael Sterling
Michael Sterling used Ask the Experts™
on
I need to use HTML encode to filter/scrub some data being read by my SqlDataReader object. Trying to prevent an XSS attack. I've never used HTML encode before but I need to apply it to code that looks like the following:

                        oReader = oCmd.ExecuteReader();

                    if (oReader.HasRows == true)
                    {
                        int iLastID = 0;
                        decimal total = 0;

                        while (oReader.Read())
                        {
                            if (iLastID != oReader.GetInt32(oReader.GetOrdinal("checktypeid_fk")))
                            {	                            
                                sTableDetail += "<tr>";
                                sTableDetail += "<TD>" + oReader.GetValue(oReader.GetOrdinal("Description")).ToString() + "</TD>";
                                sTableDetail += "<TD>" + oReader.GetValue(oReader.GetOrdinal("Quantity")).ToString() + "</TD>";
                                sTableDetail += "<TD align=right>$" + oReader.GetValue(oReader.GetOrdinal("Amount")).ToString() + "</TD>";
                                sTableDetail += "<TD align=right>$" + Convert.ToString(Convert.ToDouble(oReader.GetValue(oReader.GetOrdinal("Amount"))) * Convert.ToDouble(oReader.GetValue(oReader.GetOrdinal("Quantity")))) + "</TD></TR>";
                            }
                            else
                            {
                                sTableDetail += "<tr>";

                                if (oReader.IsDBNull(oReader.GetOrdinal("county")) == true & oReader.IsDBNull(oReader.GetOrdinal("state")) == false)
                                {
                                    sTableDetail += "<TD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;State Fee - " + oReader.GetValue(oReader.GetOrdinal("state")).ToString() + "</TD>";
                                }
                                else
                                {
                                    if (oReader.IsDBNull(oReader.GetOrdinal("county")) == false & oReader.IsDBNull(oReader.GetOrdinal("state")))
                                    {
                                        sTableDetail += "<TD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;County fee - " + oReader.GetValue(oReader.GetOrdinal("County")).ToString() + ", " + oReader.GetValue(oReader.GetOrdinal("state")).ToString() + "</td>";
                                    }
                                }

                                sTableDetail += "<TD>" + oReader.GetValue(oReader.GetOrdinal("Quantity")).ToString() + "</TD>";
                                sTableDetail += "<TD align=right>$" + oReader.GetValue(oReader.GetOrdinal("Amount")).ToString() + "</TD>";
                                sTableDetail += "<TD align=right>$" + Convert.ToString(Convert.ToDouble(oReader.GetValue(oReader.GetOrdinal("Amount"))) * Convert.ToDouble(oReader.GetValue(oReader.GetOrdinal("Quantity")))) + "</TD></TR>";
                            }

                            iLastID = oReader.GetInt32(oReader.GetOrdinal("checktypeid_fk"));
                            total += Convert.ToDecimal(oReader.GetValue(oReader.GetOrdinal("Amount"))) * oReader.GetInt32(oReader.GetOrdinal("Quantity"));
                        }

                        // build total row
                        sTotalRow = "<tr>";
                        sTotalRow += "<TD align=right colSpan=3><B>TOTAL:</B></TD>";
                        sTotalRow += "<TD align=right><B>$" + total.ToString() + "</B>";

                        // Build table footer
                        sTableFooter = "</table>";

                    }
                    else
                    {
                        sTableDetail += "<tr><td colspan=4 align=center><font color=red>ERROR building invoice.  Contact technical support.</font></td></tr>";
                    }

                    return sTableHeader + sTableDetail + sTotalRow + sTableFooter;

                }

Open in new window


How do I do this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
System.Web HttpUtility.HtmlEncode Method
https://docs.microsoft.com/en-us/dotnet/api/system.web.httputility.htmlencode?redirectedfrom=MSDN&view=netframework-4.8
string myString = @"<html>tester</html> ";
HttpUtility.HtmlEncode(myString);
StringWriter myWriter = new StringWriter();
HttpUtility.HtmlDecode(myEncodedString, myWriter);

Open in new window


HttpServerUtility.UrlEncode and HttpServerUtility.UrlDecode Methods
https://docs.microsoft.com/en-us/dotnet/api/system.web.httpserverutility.urldecode?view=netframework-4.8
https://docs.microsoft.com/en-us/dotnet/api/system.web.httpserverutility.urlencode?view=netframework-4.8
Server.UrlEncode("your string");
Server.UrlDecode("Your%20string");

Open in new window

Michael SterlingWeb Applications Developer

Author

Commented:
@hilltop so based on your comment and what I have to encode, speaking just to the encoding part, if I do something like:

     return HTMLEncode(sTableHeader + sTableDetail + sTotalRow + sTableFooter);  

Open in new window


(line 57 above), that should work, for the encoding part, right?
Yes that will encode a string.
Michael SterlingWeb Applications Developer

Author

Commented:
Thanks for your help hilltop.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial