I recently read from someone that they suggest to always perform a Server.HtmlEncode on user-entered text. While this is good advice, it reminded me that the DotNetNuke core gives us some additional security options in the DotNetNuke.Security.PortalSecurity class. I figured that I would blog about this, as the DNN core gives us a great deal of pre-written methods to help make development easier and faster. Even though a ton of functionality is written and provided to us, most people don’t know that much of this functionality exists.
The PortalSecurity class contains several methods to help you provide encryption, decryption, portal permissions, and user entry security to your modules and providers. Here is a listing the publically available methods in DNN version 5.00.01:
Now we are going to get into the meat of why I originally began writing this blog entry. We need to protect ourselves from malicious string values that may be submitted to our modules or providers. I used the word malicious, but it is possible that the person who does this might not be doing it intentionally. The most common way to protect against harmful user string values is shown below:
MyDataObject.PropertyName = Server.HtmlEncode(TextBox1.Text)
This will catch most of the security sensitive data that you don’t want to be saved and/or rendered to your DNN website. But sometimes you need something a little more specialized. The InputFilter() method in the PortalSecurity class will help you. To simulate the previous example, here is how it might change:
Dim pSecurity As New PortalSecurity
MyDataObject.PropertyName = pSecurity.InputFilter(TextBox1.Text, NoMarkup)
With just a tiny bit of extra coding, the previous example does pretty much the same exact thing as Server.HtmlEncode(). But you get out of it core functionality that can be reused over and over, and called from child threads or the DNN scheduler. It also performs a check to see if the encoding even needs to be done, potentially having higher performance than just calling HtmlEncode() alone. You may have already noticed, but the second argument in the InputFilter() method is an Enumeration, allowing for more ways to filter the users’ input.
Here are the values for the FilterFlag enumeration:
In the web.config, you have the following AppSetting:
<add key=”RemoveAngleBrackets” value=”false” />
If that AppSetting is either missing, or the value is False, then the angle brackets will not be removed even though you called it.
There you go! DotNetNuke does an outstanding job of doing a lot of work for us, and providing common functionality that we don’t need to write. This blog entry is a prime example of how much you can rely on DNN to save you time, effort, and add more value to your programming effort and project.