Just use HttpUtility.Encode because Server.HttpEncode simply calls HttpUtility.Encode. Basically if you are trying to display text back to the user and these text are either straight from database, or from databound objects, or from current page textbox entered by user, etc, use HttpUtility.Encode, mainly to prevent script-injection and handle specials characters such as blanks and punctuations, and <, >, etc…
Example:
TextBox TextBoxRoleName = (TextBox)RolesGridView.FooterRow.FindControl(“TextBoxRoleName”);
string newRoleName = TextBoxRoleName.Text.Trim();
LabelMessage.Text = “Role ‘” + Server.HtmlEncode(newRoleName) + “‘ already exists.”;
Of course, this leads to some quite important MSDN articles:
- HttpUtility.HtmlEncode Method
- MSDN – How To: Prevent Cross-Site Scripting in ASP.NET
- MSDN – Security Practices: ASP.NET 2.0 Security Practices at a Glance
The last two articles of the above are under the following bigger, boarder title:
By Bryan Xu