Javascript injection attack prevention for textboxes

Question

say I have a textBox and a property to get and set its value:

public SomeText
{
   get { return HttpUtility.HtmlEncode(textBox.Text); }
   set { textBox.Text = HttpUtility.HtmlEncode(value); }
}

I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I'm thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.

Is this correct?

Answer 1

A couple points;

First:

You should really only encode values when you display them, and not any other time. By encoding them as you get the value from the box, and also when you paste in, you could end up with a real mess, that will just get worse and worse any time someone edits the values. You should not encode the values (against HTML/Javascript injection - you DO need to protect against SQL injection, of course) upon saving to the database in most cases, especially if that value could later be edited. In such a case, you actually need to decode it upon loading it back... not encode it again. But again; it's much simpler only to encode when displaying it (which includes displaying for editing, btw)

Second:

HtmlEncode protects against injecting HTML - which can include a <script> block which would run Javascript, true. But this also protects against generally malicious HTML that has nothing to do with Javascript. But protecting against Javascript injection is almost a different thing; that is, if you might ever display something entered by the user in, say, a javascript alert('%VARIABLE'); you have to do a totally different kind of encoding there than what you are doing.

Answer 2

Yes. You only need to encode strings that you have accepted from the users and you have to show inside your pages.