When to use the Encode HTML and Sanitize HTML


Just a quick survey for securing an app,

Note: I'm not fully knowledgable on this both function so correct me if I'm wrong...

For example, I have a parameter or data from the database with a whole value of 

'<b> test HTML from database or parameter </b>'

When runs on an expression with no escape content using the 

EncodeHTML = replace the tags with HTML literals, will output text only and will not run the HTML

SanitizeHTML = I really don't know what happens on sanitize HMTL action but it will run the HTML just fine.

so base on my knowledge the Encode HTML maybe only applicable with static HTML tag plus input parameter 

e.g. "<b>" + EncodeHTML (InputTextToBold) + "</b>" 

and SanitizeHTML will work fine on both. 

1. "HTML + test value "     

2. "HTML"+ input/variable

So the thing is when to use the EncodeHTML and SanitizeHTML

Hi Sherwin,

As documented at HTML Injection Warning

  • Use the EncodeHtml() built-in function to replace all HTML reserved characters by their escaped counterpart.
  • Use the SanitizeHtml() function from the Sanitization extension module to ensure that the value entered by the end user does not contain any malicious content.

Which means EncodeHTML will only take care of HTML characters. It does not protect you from cross-site scripting (XSS) or JavaScript injection vulnerabilities. Do NOT use EncodeHTML on the string literals that you may expect to use as part of the code.

While SanitizeHTML will sanitize whole input provided by the end user. SanitizeHTML is widely used to sanitize the user input and sanitzing APIs outcomes to avoid code injection in HTML, JavaScript and SQLs.