Skip to content

HtmlEncode

See Also: Web Application Helper Functions

Purpose

The HtmlEncode function ensures that when field data is passed back to the browser, the data is properly encoded so that the text will not be interpreted by the browser as special HTML formatting characters. It also adds <br> to the end of each line.

Return Type

String

Syntax

Use HtmlEncode.pkg
(HtmlEncode({string-value}))

What it Does

XSS Vulnerabilities

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.

The DataFlex web controls do this by default in most cases. The exceptions are cWebHtmlBox, cWebHtmlList, and any control that has pbAllowHtml set to True.

The solution is to use HtmlEncode in these situations.

Before data is passed back to the browser, you will often want to make sure that the data is properly encoded so that the text will not be interpreted by the browser as special HTML formatting characters.

The characters that it checks for are &, <, >, ", and ', as well as characters 10 and 13. For example, your data might contain the following text:

"To create a bold string you should enter the **character."

Without some kind of conversion, the ** will be interpreted by your browser as the start of a bold block. The HtmlEncode function will convert this text so that it properly uses HTML replacement characters. In this case, you want the string to be passed to ASP as:

"To create a bold string you should enter the <b> character"

This will properly display in the browser as "**."

Note: The function DDValue (when iOption is 0) and the procedure WriteHtmlPlainText perform this conversion for you automatically. When you create custom augmentations of DDValue, you should remember to encode your data if it is required. When you create reports using any other Write message other than WriteHtmlPlainText, you should remember to encode your data as needed. Normally, you will want to encode all string and text data.

Example

Use HtmlEncode.pkg
Move (HtmlEncode(sText)) to sText
Send WriteHtml (HtmlEncode(sTemp))
Move (HtmlEncode(Customer.Notes)) to sNotes
Send WriteHtml sNotes
Send WriteHtmlCell (HtmlEncode(Customer.Name))

Notes

  • The reason that most Write messages are not automatically encoded is so you can embed custom HTML encoding in your output strings. For example:
// output the text field in italics
Send WriteHtml ("
" + HtmlEncode(sNotes) + "
")
  • It is very important that you remember to encode your data or your resulting HTML output may be undesirable.