JavaScript Editor jscript editor     Web designer 

Main Page

Most scripting exploits occur when users can get executable code (or script) into your application. By default, ASP.NET provides request validation, which raises an error if a form post contains any HTML.

You can help protect against script exploits in the following ways:

HTML encoding converts HTML elements using HTML–reserved characters so that they are displayed rather than executed.

To apply HTML encoding to a string

  • Before displaying strings, call the HtmlEncode method. HTML elements are converted into string representations that the browser will display rather than interpret as HTML.

    The following example illustrates HTML encoding. In the first instance, the user input is encoded before being displayed. In the second instance, data from a database is encoded before being displayed.


    This example will only work if you disable request validation in the page by adding the @ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.

    Visual BasicВ CopyCode imageCopy Code
    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e _
        As System.EventArgs) Handles Button1.Click
            Label1.Text = Server.HtmlEncode(TextBox1.Text)
            Label2.Text = _
    End Sub

    C#В CopyCode imageCopy Code
    private void Button1_Click(object sender, System.EventArgs e)
        Label1.Text = Server.HtmlEncode(TextBox1.Text);
        Label2.Text = 

See Also

JavaScript Editor jscript editor     Web designer