HTML coding in MVC input

Question

HTML coding in MVC input

I work through NerdDinner and I got a little confused in the next section ...

First they added a form to create a new dinner with a bunch of text fields, for example:

<%= Html.TextArea("Description") %>

They then show two ways to bind form input to a model:

 [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() { Dinner dinner = new Dinner(); UpdateModel(dinner); ... }

or

 [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create(Dinner dinner) { ... }

Well, great, so far everything looks very simple.

Then a little later they say:

It is important to always be paranoid about security when receiving any user input, and this is also true when binding objects to input input. You should be careful to always HTML code any user-entered values to avoid HTML and JavaScript injection attacks

BUT? MVC manages data binding for us. Where / how should you do HTML encoding?

+6

security asp.net-mvc html-encode

fearofawhackplanet May 25, '10 at 17:01

source share

1 answer

Redfilter · Accepted Answer · 2010-05-25T17:10:46+0000

Usually you (but not always) want HTML to encode the values before they are written, usually in your views, but also possibly from the controller.

Information here: http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp -net-mvc-2.aspx

HTML coding in MVC input

More articles: