I'm writing a data migration tool atm, and some of the source data includes references to XSS or bits of script. When I read the fields I use System.Web.HttpUtility.HtmlEncode to safely encode it (as it's going to be rendered in a web app), so <script> becomes <script> etc.
I've checked the data as it gets read from the one database and finally used in the query to be written into the other. All the way through the encoding is present and yet when the 2nd db is used by it's web app, it renders decoded as <script>. Not only visually (as you'd expect) but the javascript actually executes. :/
Any ideas?
I've checked the data as it gets read from the one database and finally used in the query to be written into the other. All the way through the encoding is present and yet when the 2nd db is used by it's web app, it renders decoded as <script>. Not only visually (as you'd expect) but the javascript actually executes. :/
Any ideas?