Is it a good practice to use html.encode before passing the query string parameters to the business layer? The scenario is with respect to asp.net framework, and I am wondering if I must encode the contents of query string or not before reading the values from the keys?
I know we can always convert the contents to expected data type, but my question is from a designs perspective.
Thanks!
I would say yes. At the very least you want to because the browser may get the encodings wrong. One symbol might show up as another, or as and unknown character. It may even mix-up with the preceding character if the browser will get it wrong.
More complex reasons include it helps prevent against HTML injection.
The short explanation of why you need to use HTML encoding is simply that a certain set of characters mean something special in HTML and encoding will help with symbols such as carets and ampersands gracefully across all browsers.