1) This isn't webforms anymore, and there are no server controls to auto-encode your raw text
So why not extend the asp.net compiler to auto encode <%= %>, if its not webforms no backwards compatibility problems there? If people could make pre-compilers that add runat="server" for <asp: tags I am sure you could come up with something to wrap all
calls <%= %> in Html.Encode(). Or just switch to Boo, it can do it no problem.
robconery
2) I fully realize the implication of encoded text in the DB
No you don't or the community would not have responded the way it did.
robconery
3) I also fully realize the hole you create when unencoded text is sent to the browser. ScottGu just did it on his blog (yes, I know it was a demo, but how often do we work under the "this is just a quicky" thing)
Bad developers, bad testing, bad framework design, maybe just a bug? Don't make the same mistakes you did in webforms fix the real problem. Html Encoding
output not input.
robconery
4) I'm not *forcing* anyone to do anything :)
Yes you are, you are forcing EVERYONE on this thread to call UpdateFromRaw. You are forcing me to write fxcop rules and do code analysis ensuring that I always call UpdateFromRaw and never call UpdateFrom. You are forcing me to educate my developers
on using non standard method calls. Why would a dev know to use UpdateFromRaw that just sounds weird, whats raw? You are forcing me to write some precompiler process to replace all UpdateFrom to UpdateFromRaw because I have no good way of testing that my
database does not contain encoded data. You are forcing microsoft to upset a lot of people by not listening to the community from the begining. Why ask for feedback if you don't listen?
And you may be forcing me to stick with Monorail...
Wow... I need to stop sounding like Bellware [:)]... I guess I would need a little RoR speak to really sound like him.
This is a harsh response please excuse the tone. I appreciate the work the whole team is doing. I want this project to succeed, I just think this is the wrong solution and it is not solving the real problem.
abombss
Member
575 Points
164 Posts
Re: UpdateFrom and Encoding
Dec 19, 2007 02:15 AM|LINK
No, you are not listening to the community.
So why not extend the asp.net compiler to auto encode <%= %>, if its not webforms no backwards compatibility problems there? If people could make pre-compilers that add runat="server" for <asp: tags I am sure you could come up with something to wrap all calls <%= %> in Html.Encode(). Or just switch to Boo, it can do it no problem.
No you don't or the community would not have responded the way it did.
Bad developers, bad testing, bad framework design, maybe just a bug? Don't make the same mistakes you did in webforms fix the real problem. Html Encoding output not input.
Yes you are, you are forcing EVERYONE on this thread to call UpdateFromRaw. You are forcing me to write fxcop rules and do code analysis ensuring that I always call UpdateFromRaw and never call UpdateFrom. You are forcing me to educate my developers on using non standard method calls. Why would a dev know to use UpdateFromRaw that just sounds weird, whats raw? You are forcing me to write some precompiler process to replace all UpdateFrom to UpdateFromRaw because I have no good way of testing that my database does not contain encoded data. You are forcing microsoft to upset a lot of people by not listening to the community from the begining. Why ask for feedback if you don't listen?
And you may be forcing me to stick with Monorail...
Wow... I need to stop sounding like Bellware [:)]... I guess I would need a little RoR speak to really sound like him.
This is a harsh response please excuse the tone. I appreciate the work the whole team is doing. I want this project to succeed, I just think this is the wrong solution and it is not solving the real problem.