I recently learned that I should not store html-encoded data in a database, but I should rather html encode the data that is displayed on the screen to the user. It's okay, I have to fix my entries in the database and make some changes to the code.
But my question is when should I use html encode, and when shouldn't. For example, in an html table, I write directly from the database into the internal HTML column. Without coding, this would be dangerous, I understand.
How to set the value of a text field. It seems to work without the need for encoding an html value. But I do not know why. Here's what the text box looks like:
<input type="textbox" value="xxx"/>
But when setting the value: "/><p style="font-size: 100px;">testing hack</p>
The html source will be:
<input type="textbox" value=""/><p style="font-size: 100px;">testing hack</p>
It will look normal, although if you look so that the p-tag does not work as intended, “hack”.
Does anyone get what I'm aiming for? :) If I try html to encode something that I set to the value of the text field, the result will display "& lt" etc. That is not what I intended.
So, in short: Should I only encode the html material that is installed in the innerHtml of the html controls, and not when setting the value, for example, text fields?
source
share