I am trying to figure out the context in which HtmlAttributeEncode could be used -
I tried with simple 'Hello!' alert script to be set as control attribute, so I could see HtmlAttributeEncode in action - but can't see where I can use HtmlAttributeEncode instead of HtmlEncode.
So, for example, I have
- a textbox for user input
//txtuserInput.Text = <script>alert(document.cookie);</script>
- an anchor control to show user input being set as one of its attribute value
In codebehind tried with -
myanchorTag.InnerText = txtuserInput.Text
or
myanchorTag.Id = txtuserInput.Text
But I can't see this script running :-(
I have already tried that for TextBox.Text property but for that I can use HtmlEncode.
Can anyone please guide.
Thank you!
The asp:Textbox control automatically escapes the .Text property. See http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm
You should use HtmlAttributeEncode when using unescaped controls and when building raw html.