Replacing Unsafe System.Web HttpUtility.HtmlEncode with SAFE SQL CLR User-Defined Function

Examples

By Jonathan Kehayias @ Monday, July 21, 2008 8:13 AM :: 65 Views :: 0 Comments

I have seen a number of posts on various forums regarding issues with loading the System.Web assembly as Unsafe in SQL Server so that the HttpUtility.HtmlEncode/HtmlDecode method can be used to encode/decode an input for usage. The following function can be cataloged as SAFE in SQL Server and does exactly the same things that the Method in System.Web does for the HtmlEncode.

using System;

using System.Data;

using System.Data.SqlClient;

using System.Data.SqlTypes;

using Microsoft.SqlServer.Server;

using System.Globalization;

using System.Text;

public partial class UserDefinedFunctions

    [Microsoft.SqlServer.Server.SqlFunction]

    public static string HtmlEncode(string s)

        if (s == null)

            return null;

        int num = IndexOfHtmlEncodingChars(s, 0);

        if (num == -1)

            return s;

        StringBuilder builder = new StringBuilder(s.Length + 5);

        int length = s.Length;

        int startIndex = 0;

    Label_002A:

        if (num > startIndex)

            builder.Append(s, startIndex, num - startIndex);

        char ch = s[num];

        if (ch > '>')

            builder.Append("&#");

            builder.Append(((int)ch).ToString(NumberFormatInfo.InvariantInfo));

            builder.Append(';');

        else

            char ch2 = ch;

            if (ch2 != '"')

                switch (ch2)

                    case '<':

                        builder.Append("&lt;");

                        goto Label_00D5;

                    case '=':

                        goto Label_00D5;

                    case '>':

                        builder.Append("&gt;");

                        goto Label_00D5;

                    case '&':

                        builder.Append("&amp;");

                        goto Label_00D5;

            else

                builder.Append("&quot;");

    Label_00D5:

        startIndex = num + 1;

        if (startIndex < length)

            num = IndexOfHtmlEncodingChars(s, startIndex);

            if (num != -1)

                goto Label_002A;

            builder.Append(s, startIndex, length - startIndex);

        return builder.ToString();

    private static int IndexOfHtmlEncodingChars(string s, int startPos)

        char[] chars = s.Substring(startPos).ToCharArray();

        for (int i = 0; i < chars.Length; i++)

            char ch = chars[i];

            if (ch <= '>')

                switch (ch)

                    case '<':

                    case '>':

                    case '"':

                    case '&':

                        return (startPos + i);

                    case '=':

                        break;

            else if ((ch >= '\x00a0') && (ch < 'Ā'))

                return (startPos + i);

        return -1;

};

Posted @ Monday, July 21, 2008 8:13 AM by Jonathan Kehayias

Comments

Currently, there are no comments. Be the first to post one!
You must be logged in to post a comment. You can login here

Survey

Which of the following CLR objects are you currently using in SQL Server?
User-Defined Functions
User-Defined Types
Stored Procedures
Triggers

Submit Survey View Results

Links

Database Administrator’s Guide to SQL Server Database Engine .NET CLR Environment

CLR Integration Team Blog

MSDN SQL Server CLR Forum

What's New

Subscribe in a reader

Using CLR Impersonation to Access Resources Outside of SQL Server by Jonathan Kehayias

Traditionally if you had a need to access a file or other resource outside of SQL Server, the SQL Server service account was required to have appropriate file system access to the folder or path containing the file. With CLR integration, this is no longer an absolute requirement. Identity Impersonation will allow you to implicitly or explicitly change the execution context inside of a SQLCLR Function, Procedure, or Trigger.

Using an Application Configuration (app.config/web.config) File in SQL Server CLR Integration by Jonathan Kehayias

A common part of programming in .NET is to use an configuration file to store configuration information in an easily modifiable location. The app.config or web.config file is an invaluable inclusion in most .NET projects and developers may need to maintain this functionality as a part of logic sharing between objects in the database and the application as well. This article will demonstrate how to configure your SQLCLR project to use Configuration Files in SQL.

Building a SAFE HttpUtility Class for SQL CLR by Jonathan Kehayias

This Article covers how to build a SQL Safe version of the System.Web.HttpUtility class methods HtmlEncode and HtmlDecode. Source code is provided in the Examples area for these specific methods to be used in SQL CLR as User-Defined Functions with a SAFE Permission Set.

Recent Examples

Using the SQL CLR to pass Files "Through" your Firewall by Wayne Hamilton

Replacing Unsafe System.Web HttpUtility.HtmlDecode with SAFE SQL CLR User-Defined Function by Jonathan Kehayias

Replacing Unsafe System.Web HttpUtility.HtmlEncode with SAFE SQL CLR User-Defined Function by Jonathan Kehayias

BULK load multiple files by David Dye

Exporting to a Fixed Width File by Wayne Hamilton

Copyright 2007 by SQLCLR.net Terms Of Use Privacy Statement
Website graphics provided by Matt Green Designs
Page generated in 0.4062422 seconds.

All information and example code on this site is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from its use.

This site is in no way affiliated with Microsoft. Unless specifically stated otherwise, nothing should be construed to represent the official positions or opinions of Microsoft and/or its Employees.