ASP.NET MVC 2 - AntiXSS vs. Native MVC Encoding

Question

ASP.NET MVC 2 - AntiXSS vs. Native MVC Encoding

Now that MVC has introduced HTML encoding through

<%: blah %>

is there any other meaning when using

<%= AntiXSS.HTMLEncode(blah) %>

instead

For example: My application will accept all content (including JavaScript) and store it in it in the raw state in the database. I planned to simply output everything, using something like <%: model.Name %>and relying on the "material" of MVC to make an encoding for me.

Is this method safe enough to rely on AntiXSS, or do I need to use the AntiXSS library explicitly? If I need to use the AntiXSS library, may I ask why this has not already been built into MVC?

+5

asp.net-mvc-2 antixsslibrary

Chase florell Aug 05 '10 at 10:43

source share

3

<%: HTML. HTML, Javascript , HTML, .

+2

blowdart 06 . '10 20:27

Per Phil Haack: AntiXss ASP.NET ASP.NET 4 ( MVC), HTML AntiXSS.

Reasons against "AntiXSS.HTMLEncode" 1) The reduction is easier to code 2) The call to the helper method (<%:%> /@:/HttpUtility.HtmlEncode/Server.HtmlEncode/etc.) And the implementation of the encoder implementation makes your code more convenient for maintenance in Comparison with a specific implementation of AntiXSS.

However, I believe that "AntiXSS.HTMLEncode" is the only option for the .NET and lt versions; 4

+1

Alfred Jan 05 '11 at 21:41

source share

DanP · Accepted Answer · 2010-08-05T23:30:09+0000

, - , , AntiXss asp.net, .

ASP.NET MVC 2 - AntiXSS vs. Native MVC Encoding

More articles: