Double Encoding Problem

[jgd1234567]

Hi, i'm trying to make my website more secure by encoding any output i display. However i still want to allow some html tags.

I am using a wysiwyg editor with only bold, italic and underline enabled. I enter my text in the wysiwyg and click submit, the data is then inserted into the database without encoding. I then html encode the text as i display it and replace any occurances of &lt;b&gt; to <b> etc to allow the specific html tags. The problem i have though is that the wysiwyg encodes certain characters (ie <) but then i encode them and suddenly instead of display as < it displays as &lt;.

I was wondering if anyone knows a way i could do this. Appreciate your help.

 

[jbenson001]

Are you saying you want to encode the HTML that is rendered to the page?

 

[tperri]

You need to DECODE when you display, not encode.

 

[jgd1234567]

Hi, sorry i'll try and explain it better with an example. Say i have the following string:

string text = "<strong>Blah</strong> &lt;a href=&quot;test.com&quot;&gt;test&lt;/a&gt;
<script>alert('test');</script>";

I want to allow the strong tag but encode the script tag. Therefore i do the following to it (i am using the microsoft anti xss library to encode the html):

text = AntiXss.HtmlEncode(text);
text = text.Replace("&#60;strong&#62;", "<strong>");
text = text.Replace("&#60;/strong&#62;", "</strong>");

I find this the best way because it works against a white list. The problem now though is the already encoded tag is now double encoded. One way i have found to fix this is to do the following:

text = text.Replace("&#38;", "&");
text = text.Replace("&#59;", ";");

But i wonder if i am now making this insecure and defeating the purpose.

 

[jbenson001]

I think you are confused as to what encoding does. Using the HTMLEncode will not hide the script code from someone who views the page source. Is that what you are trying to do?