.Net, ASP.NET, C#, Programming, VB.NET, Web Development, WebForms

ASP .NET: Safely Escape Data from your Database to Display in HTML but Still Keep Line Breaks

Justin Cooney
ASP.NET 4.6
ASP.NET 4.6

In this short article I will show a simple example of how to secure data for presentation but still keep select formatting such as line breaks. For more .NET tips feel free to browse the categories of my site at: https://jwcooney.com/category/net/

If you are presenting data from your database on a Web page, you’ll first need to escape special characters so that they don’t break your page. There are a number of ways to do this depending on if you are programmatically generating the data or if you are directly outputting the result of a SQLDataSource onto your page using an Eval. On top of this, you’ll likely also want to keep line breaks instead of escaping those too.

In this case, here is how you would directly output safely formatted database content onto a <div element on your HTML page.

A Note About Using the HTML Pre Element Instead of Div

In this example we programmatically format the line breaks to work with our HTML Div element. Depending on your situation a better alternative is possibly to use the Pre element. If you want to have your HTML display user-entered tabbing, spacing, and line breaks, without specifically encoding these in code, you should take a look at the HTML <pre element (here is a good explanation of how the HTML pre works).

Code in VB.NET:

<div id="ShowSomeText" title="Output Some DB Text"></div>
<div>        <%# WebUtility.HtmlEncode(CStr(Eva<wbr />l("Notes"))).Replace(ControlCh<wbr />ars.CrLf, "<br>")%></div>
<div></div>

Code in C#:

<div id="ShowSomeText" title="Output Some DB Text">
<div>        <%# WebUtility.HtmlEncode(Convert.ToString(Eval("Notes"))).Replace(ControlChars.CrLf, "<br>") %></div>
<div></div>

In the example script above, we:

  1. First cast the database content from the SQLDataSource to a String using the VB CStr(method (or the Convert.ToString( method in C#) around the Eval(.
  2. Then we use the HTMLEncode method provided by the .NET WebUltility library. This is the main method for securing the database content to make sure special characters in it don’t break the HTML of your page.
  3. Now that your content is safely encoded, we want to keep showing the line breaks that users have entered. If we don’t, then the content will just show up as a single block of text. To convert the line breaks we can do a simple Replace function to change line breaks to HTML <br> tags.

Summary

I hope you have found this information useful. Naturally, you can use almost the exact same code if you are processing the  database data programmatically.

Please feel free to leave comments or suggestions in the comments section below.

Advertisement

Published by Justin Cooney

I am a Senior Applications Programmer / Analyst with years of experience developing enterprise solutions using the Microsoft technology stack including C#, VB.NET, ASP.NET, AJAX, IIS and SQL Server. I specialize in Web application development with a focus on building secure systems, integrating applications, and designing robust database structures.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s