stackoom
  简体   繁体   中英

HTML Encoding Server side vs Client side

 原文  2010-06-14 11:11:09       asp.net/ javascript/ html-encode

Question

I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.

What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?

4 answers

solution1
 6 ACCPTED  2010-06-14 11:12:49

If you mean sanitizing the user input, the only place you can do that safely is server-side. You can't be sure that anything has been done client-side, it's too easy to bypass client-side code.

It's like data validation: It's nice to do data validation (making sure key fields of a form are filled in with valid values, for instance) on the client because the immediate feedback makes for a good user experience, but doing so is not a substitute for doing it on the server, because it's trivially easy to bypass the client-side validation.

But with sanitizing input, you don't even want to try to do that client-side; assume it's un-sanitized and sanitize it on the server.

In ASP.Net, if the input you're sanitizing is a string you're later going to display in an HTML page and you want to ensure that it doesn't contain HTML tags of its own, you can use HttpServerUtility.HtmlEncode to encode the string (basically, turning < into &lt; and such).

solution2
 5  2010-06-14 11:13:28

Without a doubt, definitely server side. However, I would encode the input before output to the browser instead of before input to the database .

If you are using ASP .NET MVC you can use the helper method. 

<%= Html.Encode("user comment with html in it <script>alert('bad')</script>") %>

If you are using ASP .NET (webforms or MVC) in the NET 4 framework, you can use the new syntax. 

<%: "user comment with html in it <script>alert('bad')</script>" %>

solution3
 1  2010-06-14 11:15:35

Surely you should go with server side .

If you do it with client side, Users can easily get the encryption what you are using.

If it is a server side.It should be more secure.

solution4
 0  2010-06-14 11:20:23

A way to do it is to keep your page in UTF-8 for whatever users may be entering with 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

in the header of output and keep the database in unicode as well. You can never be sure what users are going to input.

Every database stack also delivers the means to escape possibly malicious content, eg mysql_real_escape_string MySQL function in PHP.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Client Side or Server side? Mobile site detection server side vs client side Setting tracking cookie on client side vs server side? Tradeoffs with client vs server side postback handling Unable to find client side html date control from server side Is it smart thing to create html string on server side and append it on client side? Client side data to server side opening a html page on the client from server side Html.beginform validation Server and Client side Cache is client side or server side?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM