Post Html Code In many case in your application, you may want user to post html tags as input through your webpage. For example, you may allow the user to input comment in the html format they want. For instance, user may want to input his comment as <h3 ><font c olor="green"> Kris hna </font>i s Great</h3 > s o that c omment is dis played in htmlpage as Krishna is Great Now, the problem here is that compilers consider these tags as very dangerous since it might affect the structure of your webpage. Moreover, user may post some hazardous html code which may even break your application if not handled properly. So, Asp.net does not allow you to post this tags directly and validates all your input values for dangerous values. However you can bypass this validation by setting ValidateRequest attribute of the page to false as shown below: <% @ P age Language="C #" V alidatereques t="fals e" % > if ValidateRequest is set to true, request validation is performed by comparing all input data to a list of potentially dangerous values. If a match occurs, ASP.NET raises an HttpRequestV alidationexception and will display this s c reen as s hown below: For.Net Framework 4 Developer, additionally you have to set the following
code in web.config file. <httpruntime reques tv alidationm ode="2.0 " /> I n A SP.N E T 4, by default, reques t validation is enabled for all requests, because it is enabled before the BeginRequest phase of an H T T P reques t. A s a res ult, reques t validation applies to reques ts for all A SP.N E T res ourc es, not jus t.as px page requests. T his includes requests such as Web service calls and custom HT T P handlers. Request validation is also active when c us tom H T T P modules are reading the c ontents of an H T T P reques t. A s a result, request v alidation errors might now occur for requests that prev iously did not trigger errors. To rev ert to the behav ior of the A SP.NET 2.0 request v alidation feature, w e hav e o add the follow ing setting in the Web.config file: <httpruntime reques tv alidationm ode="2.0 " /> N ow that you are able to pos y html tags, you may als o want to store this comments (html code) in database. However, Sql s erver does not allow you to s tore s pec ial c harac ter like %, < etc whic h are part of html tags. So, in order to overc ome this issue, we have to use the htmlencode and htmldecode methods which will convert these special characters into normal alphanumeric c harac ters. HTMLENCODE T he H T M LE nc ode method applies H T M L enc oding to a s pec ified s tring. T his is us eful as a quic k method of enc oding form data and other c lient reques t data before us ing it in your Web application. Encoding data converts potentially unsafe c harac ters to their H T M L-enc oded equivalent. I f the s tring to be enc oded is not DBC S, H T M LE nc ode c onverts
c harac ters as follows : T he les s -than c harac ter (<) is c onverted to <. T he greater-than c harac ter (>) is c onverted to >. T he ampers and c harac ter (&) is c onverted to &. T he double-quote c harac ter (") is c onverted to ". A ny A SC I I c ode c harac ter whos e c ode is greater-than or equal to 0x80 is converted to &#<number>, where <number> is the A SC I I c harac ter value. I f the s tring to be enc oded is DBC S, H T M LE nc ode c onverts c harac ters as follows : A ll extended c harac ters are c onverted. A ny A SC I I c ode c harac ter whos e c ode is greater-than or equal to 0x80 is converted to &#<number>, where <number> is the A SC I I c harac ter value. Half-width Katakana characters in the Japanese code page are not c onverted. Syntax Server.HTMLEncode(string) Input Parameter is the string to be encoded HTMLDECODE T he HT M LDecode <http://msdn.microsoft.com/enus /library/ms525347.aspx> method is the reverse of html enc oding and applies H T M L Dec oding to a s pec ified s tring. So, output of htmldecode method will be the original input string to the html enc ode method Syntax Server.HTMLDecode(string) Input Parameter is the string to be decoded
I n s hort, T he H tmle nc ode method is des igned to rec eive a s tring that c ontains H T M L markup c harac ters s uc h as > and <. T he HtmlDecode method, meanwhile, is designed to reverse those c hanges : it c hanges enc oded c harac ters bac k to ac tual H T M L. I n order to unders tand it better, let us s ee a very s imple example. <as p:t extbox I D="txtI nput" runat="s erver" Width="1 6 5 px" /> <asp:button ID="cmdEncode" runat="server" T ext="encode" on "c mde nc ode_c lic k"/> <asp:button ID="Button1 " runat="server" T ext="decode" onclic <br /> <h5>encoded/decoded T ext will be shown here</h5> <asp:t extbox ID="txtM sg" runat="server" Width="284px" T ext /><br /> A s you s ee above, we have a textbox to ac c ept input s tring and we have another textbox to display the encoded/decoded output of the text s tring. Both dec ode and enc ode func tions are as s hown below: StringWriter tw =new Sys tem.i O.StringWriter(); s tring s I nput = s tring.e mpty; protec ted void c mde nc ode_c lic k(objec t s ender, E venta rgs e) { // Get the String s I nput = txti nput.t ext;
// E nc ode the H T M L C ode Server.H tmle nc ode(s I nput, tw); txtm s g.t ext = tw.t ostring(); } protected void cmddecode_c lick(object sender, E venta rgs e) { // Dec ode the H T M LC ode Server.H tmldec ode(txtm s g.t ext, tw); // Display Encoded and Decoded string in M ultiline T extbox C ontrol txtm s g.t ext = tw.t ostring(); } Output on click of button encode Encode method encodes user input and display it onto the txtm sg textbox Output on click of button decode Decode method takes encoded string from the txtm sg textbox and dis play it onto the txtm s g textbox its elf. Summary You should never allow the user to enter html tags as input. However if it is needed, then these methods provide reliable replacement of HTML characters and can be used
judiciously to fulfill your requirement. here