In my views am want to use html.TextboxFor or relevant new MVC 2 specific HTML Helper controls. However i need to make sure content of the same are encoded. How to do it. Samples will really help. I dont want to use .Net 4. Also i saw Anti-Xss lib but no idea how to
make use of it in MVC
In my views am want to use html.TextboxFor or relevant new MVC 2 specific HTML Helper controls. However i need to make sure content of the same are encoded
No need, to do this Html Helper by default encoded.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
HI Thanks for reply. I saw this previously. But i cant use .Net 4 ":". Thats why i put this query i need to use
<%= HTML.TextBoxFor() %>. Let me know alternatives. I understand that HTML helper does encoding but its not foolproof- this is what i red on ScottGu's blog. So want to be on safer side.
HI Thanks for reply. I saw this previously. But i cant use .Net 4 ":". Thats why i put this query i need to use
<%= HTML.TextBoxFor() %>. Let me know alternatives. I understand that HTML helper does encoding but its not foolproof- this is what i red on ScottGu's blog. So want to be on safer side.
You can use .NEt 4 :. All Html Helper are restructured in ASP.NET MVC 2, so they return they return IHtmlString to avoid double encoding,
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
Marked as answer by ricka6 on Jun 21, 2010 05:28 PM
As said i cant use 4.0 due to client's tech stack. these articles i have already seen. anyother option for Anti xss. looking for working code if available. i dont have 2010 else would have tested haaks code.
ASP.NET's built-in encoder can't be replaced in .NET 3.5. If you want this functionality, you'll need to use .NET 4. Please note that the built-in encoder isn't unsafe or flawed, so you don't have to worry about it. It just uses a different approach to
encoding than does the Anti-XSS encoder. Some enterprises require that their organizations use Anti-XSS, hence the reason for exposing the extensibility mechanism in the first place. If your organization doesn't have such a requirement, no action is required
on your part.
If you're developing a helper, we recommend that you use the System.Web.Mvc.TagBuilder class to generate the markup. This is what all of the built-in helpers do. The TagBuilder class if running on .NET 3.5 will use the built-in encoder; running on .NET
4 it will use the custom encoder if one has been specified.
Marked as answer by ricka6 on Jun 21, 2010 05:24 PM
vishalbhambu...
Member
17 Points
33 Posts
MVC 2 + .Net 3.5 & HTML Encoding
Jun 13, 2010 01:44 AM|LINK
Hi
In my views am want to use html.TextboxFor or relevant new MVC 2 specific HTML Helper controls. However i need to make sure content of the same are encoded. How to do it. Samples will really help. I dont want to use .Net 4. Also i saw Anti-Xss lib but no idea how to make use of it in MVC
Please help
Thanks
Vishal
ignatandrei
All-Star
135204 Points
21687 Posts
Moderator
MVP
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 13, 2010 05:06 AM|LINK
I think that the best option for you is to read:
http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx
krokonoster
Contributor
4291 Points
1352 Posts
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 13, 2010 05:53 AM|LINK
Andrei's right.
For additional "education" watch : Microsoft ASP.NET MVC Security. Good stuff
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 13, 2010 11:49 AM|LINK
No need, to do this Html Helper by default encoded.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
vishalbhambu...
Member
17 Points
33 Posts
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 14, 2010 06:37 PM|LINK
HI Thanks for reply. I saw this previously. But i cant use .Net 4 ":". Thats why i put this query i need to use <%= HTML.TextBoxFor() %>. Let me know alternatives. I understand that HTML helper does encoding but its not foolproof- this is what i red on ScottGu's blog. So want to be on safer side.
imran_ku07
All-Star
45815 Points
7698 Posts
MVP
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 15, 2010 01:57 AM|LINK
You can use .NEt 4 :. All Html Helper are restructured in ASP.NET MVC 2, so they return they return IHtmlString to avoid double encoding,
Check,
http://haacked.com/archive/2009/09/25/html-encoding-code-nuggets.aspx
you can also use antixss
http://haacked.com/archive/2010/04/06/using-antixss-as-the-default-encoder-for-asp-net.aspx
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
vishalbhambu...
Member
17 Points
33 Posts
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 17, 2010 03:22 AM|LINK
As said i cant use 4.0 due to client's tech stack. these articles i have already seen. anyother option for Anti xss. looking for working code if available. i dont have 2010 else would have tested haaks code.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: MVC 2 + .Net 3.5 & HTML Encoding
Jun 17, 2010 05:43 AM|LINK
ASP.NET's built-in encoder can't be replaced in .NET 3.5. If you want this functionality, you'll need to use .NET 4. Please note that the built-in encoder isn't unsafe or flawed, so you don't have to worry about it. It just uses a different approach to encoding than does the Anti-XSS encoder. Some enterprises require that their organizations use Anti-XSS, hence the reason for exposing the extensibility mechanism in the first place. If your organization doesn't have such a requirement, no action is required on your part.
If you're developing a helper, we recommend that you use the System.Web.Mvc.TagBuilder class to generate the markup. This is what all of the built-in helpers do. The TagBuilder class if running on .NET 3.5 will use the built-in encoder; running on .NET 4 it will use the custom encoder if one has been specified.