Have you ever wonder why there is an Html Encoding function (and other similar functions) in 3 different objects and namespaces?
The most common one is Server.HtmlEncode or System.Web.HttpContext.Current.Server.HtmlEncode. The Server Object is an instance of the System.Web.HttpServerUtility Class and it is readily accessible through any .aspx page since they inherit from the Page object which in turn has a Server Object instance. The second HtmlEncode function lives under System.Web.HttpUtility. This class is basically a static version of the Server class which means that you could call the HtmlEncode function from a static function or call from another class that does not have an instance of the HttpServerUtility class. Finally, The third HtmlEncode function is located in the Microsoft's AntiCross-Site Scripting Library. In contrast with the Server.HtmlEncode and HttpUtility.HtmlEncode functions, the later function takes a more aggressive approach by using a white-list filtering instead of a black-list.
Hope this helps.
ASP.NET, AJAX, C#, Ruby on Rails, Web Technologies in general, and hopefully Agile Development.
Friday, March 21, 2008
Server.HtmlEncode vs HttpUtility.HtmlEncode
Labels:
security
Subscribe to:
Post Comments (Atom)
1 comment:
Diego, thanks for that very useful distinction.
Post a Comment