From 0e9143bd970f82a0b838fb1da198b178a532d0c8 Mon Sep 17 00:00:00 2001 From: "Nick Curran [SSW]" <132531112+ncn-ssw@users.noreply.github.com> Date: Tue, 1 Aug 2023 14:19:08 +1000 Subject: [PATCH] =?UTF-8?q?Update=20Rule=20=E2=80=9Cdo-you-know-how-to-ren?= =?UTF-8?q?der-html-strings/rule=E2=80=9D=20(#6201)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/do-you-know-how-to-render-html-strings/rule.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/do-you-know-how-to-render-html-strings/rule.md b/rules/do-you-know-how-to-render-html-strings/rule.md index 81778062368..2ca3a879aa5 100644 --- a/rules/do-you-know-how-to-render-html-strings/rule.md +++ b/rules/do-you-know-how-to-render-html-strings/rule.md @@ -8,13 +8,13 @@ authors: created: 2023-07-28T07:23:06.201Z guid: 521afe97-18c3-43bc-8ada-f3782960b10f --- -To prevent cross-site scripting (XSS) attacks, HTML encoding is typically applied to restrain the browser from interpreting HTML strings as code. XSS attacks can occur when untrusted data is rendered on the browser without proper sanitization, thus potentially exposing the system to malicious scripts. +[Cross-site scripting (XSS) attacks](https://en.wikipedia.org/wiki/Cross-site_scripting) occur when untrusted data is rendered on the browser without proper sanitization, thus potentially exposing the system to malicious scripts. To prevent XSS attacks, HTML encoding is typically applied to prevent the browser from interpreting HTML strings as code. -However, this approach can sometimes cause confusion when an application requires to output raw HTML content that is already HTML encoded. +However, this approach can cause confusion when an application needs to output content that is already HTML encoded. -To solve this problem, the `IHtmlString` interface in .NET Core can be used to represent an HTML content that is pre-encoded and should not be encoded again. +To solve this problem, the [`IHtmlString`](https://learn.microsoft.com/en-us/dotnet/api/system.web.ihtmlstring) interface in .NET Core can be used to represent HTML content that is pre-encoded and should not be encoded again. This is to prevent double encoding, which can distort the original HTML content and cause it to display incorrectly on a web page. ```cs @@ -36,7 +36,7 @@ Figure: Good example - HTML tags using IHtmlContent have been treated as safe HT ::: ::: info -You should only use IHtmlString when you are sure that the string doesn't contain any potentially harmful script tags. When dealing with user-provided content or content from an untrusted source, always ensure to sanitize or validate the HTML before rendering it. +You should only use IHtmlString when you are sure that the string doesn't contain any potentially harmful script tags. When dealing with user-provided content or content from an untrusted source, always sanitize or validate the HTML before rendering it. ::: \ No newline at end of file