You are creating an ASP NET application by using the .NET Framework 3.5.
The application stores HTML content in a database. The HTML content is provided by multiple external information feeds. When a user visits a page they are shown a panel containing the HTML source for one of the information feeds.
You need to ensure that any script code stored in the database cannot be executed when displayed in the client browser.
What should you do?
A.
UseServer.HtmlEncode()on all data before storing it in the database. Use Server.HtmlDecode() when displaying data from the database.
B.
Store the data in the format received. UseServer.HtmlEncode()when displaying data from the database.
C.
Store the data in the format received. Use Server.HtmlDecodeQwhen displaying data from the database.
D.
UseServer.HtmlDecode()on alldata before storing it in the database. Use Server.HtmlEncode() when displaying data from the database.
Explanation:
Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases.
HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables thatrepresent those characters. For example, < is replaced with < and ” is replaced with ". Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.
HtmlDecode() dose the opposite and returns the data like you received it before. So you should use HtmlEncode for displaying the page.
See also:http://msdn.microsoft.com/en-us/library/ff649310.aspx