Looking at an old ASP file, I am trying to figure out what would the best practice be in achieving the following:
I am receiving a string through a database connection.
This string is the displayed part of a select box.
I am required to output this string using Server.HTMLEncode(string).
However, since there are spaces in that string I get the output as .
What would the best practice be in converting back into actual whitespace?
To replace with whitespace in classic ASP I used the following code:
<%= Replace(Server.HTMLEncode(string)," "," ") %>
Where string is the variable that contains .
Related
I am trying to figure out an issue in my Classic ASP application, whenever a user tries to copy text from Microsoft word into Textarea placeholder & save, it is stored in the Database as a??.
I tried replacing special character like single quote using following statement
Replace(Trim(Request.Form("Description")),chr(39), "'")
Replace(Trim(Request.Form("Description")),chr(39), "'")
Both the above statements didn't work. It was able to find special character-single quote when I type in & replaced it with ' when I use 2nd statement but for some weird reason it doesn't still work for Copy paste from Microsoft word.
Because word uses character 145 rather than 39,
So your code should be
Replace(Trim(Request.Form("Description")),chr(145), "'")
I want to make an MVC View, which shows a string.
The string contains whitespaces (" ", "/t", "/n") and I want to show it in format defined in string.
My problem is, that if I return the string as ViewBag message, all of these whitespaces are lost. Is there any solution to resolve this problem?
A work around, replace \t with   and \n with <br/> and you could use,
#Html.Raw(ViewBag.Something)
Your issue is a web one where the browser ignores extraneous space. You need to convert all space characters to if you want to retain the number of spaces.
You have two options to achieve this.
use pre htnml tag
or
you have to hard code the space chars into non-breaking white spaces.
hope it will help you to some extent.
I am developing web application on ASP.NET and I am getting textarea input from users and later display this input on website. While saving input into database I am not encoding input and directly write them into db.
If input contains "enter" I don't want to lose line breaks. So I am replacing data like that:
Replace("\r\n", "<br />")
And to prevent XSS attack before displaying I am encoding data using Microsoft's AntiXSS library's Microsoft.Security.Application.Encoder.HtmlEncode function.
This function also encodes "<br/>" and on screen I don't have any line break.
If I encode first with AntiXSS and then replace "\r\n" with "<br/>" I am not getting any line break as well, since AntiXSS I think removes "\r\n".
If I use Server.HtmlEncode and then replace "\r\n" with "<br/>" then everything is fine. But I want to use AntiXSS library and I don't know how to achieve this.
Is there any way to print line breaks using AntiXSS HtmlEncode function?
Thanks
I'm building an automated RSS feed in ASP.NET and occurrences of apostrophes and hyphens are rendering very strangely:
"Here's a test" is rendering as "Here’s a test"
I have managed to circumvent a similar problem with the pound sign (£) by escaping the ampersand and building the HTML escape for £ manually as shown in in the extract below:
sArticleSummary = sArticleSummary.Replace("£", "£")
But the following attempt is failing to resolve the apostrophe issue, we stil get ’ on the screen.
sArticleSummary = sArticleSummary.Replace("’", "’"")
The string in the database (SQL2005) for all intents and purposes appears to be plain text - can anyone advise why what seem to be plain text strings keep coming out in this manner, and if anyone has any ideas as to how to resolve the apostrophe issue that'd be appreciated.
Thanks for your help.
[EDIT]
Further to Vladimir's help, it now looks as though the problem is that somewhere between the database and it being loaded into the string var the data is converting from an apostrophe to ’ - has anyone seen this happen before or have any pointers?
Thanks
I would guess the the column in your SQL 2005 database is defined as a varchar(N), char(N) or text. If so the conversion is due to the database driver using a different code page setting to that set in the database.
I would recommend changing this column (any any others that may contain non-ASCII data) to nvarchar(N), nchar(N) or nvarchar(max) respectively, which can then contain any Unicode code point, not just those defined by the code page.
All of my databases now use nvarchar/nchar exclusively to avoid these type of encoding issues. The Unicode fields use twice as much storage space but there'll be very little performance difference if you use this technique (the SQL engine uses Unicode internally).
Transpires that the data (whilst showing in SQLServer plain) is actually carrying some MS Word special characters.
Assuming you get Unicode-characters from the database, the easiest way is to let System.Xml.dll take care of the conversion for you by appending the RSS-feed with a XmlDocument object. (I'm not sure about the elements found in a rss-feed.)
XmlDocument rss = new XmlDocument();
rss.LoadXml("<?xml version='1.0'?><rss />");
XmlElement element = rss.DocumentElement.AppendChild(rss.CreateElement("item")) as XmlElement;
element.InnerText = sArticleSummary;
or with Linq.Xml:
XDocument rss = new XDocument(
new XElement("rss",
new XElement("item", sArticleSummary)
)
);
I would just put "Here's a test" into a CDATA tag. Easy and it works.
<![CDATA[Here's a test]]>
i am building up a string on the server that is getting put into a javascript variable on the client.
what is the best of encoding this to avoid any issues
right now on the server i am doing something like this:
html = html.Replace("'", "'");
but i assume there is a more elegant fool proof way of doing stuff like this.
You're really better off using the Microsoft Anti-Cross Site Scripting Library to do this. They provide a JavaScriptEncode method that does what you want:
Microsoft.Security.Application.AntiXss.JavaScriptEncode("My 'Quotes' and ""more"".", False)
html = html.Replace("'", "%27");
I'm not sure in which context you're using this string, but \' might be what you're looking for. The backslash is an escape character and allows you to use certain characters that can't otherwise be present in a string literal. This is what the output JavaScript should look like:
alert('It\'s amazing');
Of course, you could use alert("It's amazing"); in this particular case.
Anyway, if you're building JavaScript code:
html = html.Replace("'", "\\'");
On the other hand, there are other characters besides apostrophes that need some processing. Using the Microsoft Anti-Cross Site Scripting Library would get all of them at once.
I found that the AntiXSS library was not able to accomplish what I was looking for, which was to encode server side and decode in javascript.
Instead I used Microsoft.JScript.dll which allows you to:
GlobalObject.escape(string);
and on the client side in javascript:
unescape(string);
The characters that you need to escape in a string value are the backslash and the character used as string delimiter.
If apostrophes (') are used as string delimiter:
html = html.Replace(#"\", #"\\").Replace("'", #"\'");
If quotation marks (") are used as string delimiter:
html = html.Replace(#"\", #"\\").Replace(#"""", #"\""");
If you don't know which delimiter is used, or if it may change in the future, you can just escape both:
html = html.Replace(#"\", #"\\").Replace("'", #"\'").Replace(#"""", #"\""");