Hello, I am having a hard time trying to figure out how to HTML.Encode the below line. It is on a form where if they user hits edit they class changes for the text box making it visiable, when not in edit mode it just looks like a label would. My problem
is, I cannot figure out how to html encode it. Can someone please help?
@Html.TextBoxFor( model => model.CustomerInfo.FirstName, new { @class = "text" })
I am adding that in the input box and then clicking save which then displays the value in the page. At the point the JavaScript alert is displayed. The team who wrote the page used some type if third party editor which switches between edit mode and display
mode. I am starting to think it has something to do with that.
Yea, sounds like they're taking the value and then displaying it, so if they're the one displaying and they're not encoding then it's an issue. Since they're the ones displaying, I'd prefer to see them do the encoding, since it'd suck to have to encode every
value you pass into them. But you might have to resort to that...
mbevins1
Member
19 Points
27 Posts
MVC3 Prevent XSS with entity framework
Jun 15, 2012 04:14 PM|LINK
Hello, I am having a hard time trying to figure out how to HTML.Encode the below line. It is on a form where if they user hits edit they class changes for the text box making it visiable, when not in edit mode it just looks like a label would. My problem is, I cannot figure out how to html encode it. Can someone please help?
@Html.TextBoxFor( model => model.CustomerInfo.FirstName, new { @class = "text" })
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 04:36 PM|LINK
@Html.TextBox is already HTML encoding the value, so I'm unclear on what the problem is. Can you elaborate or show an example?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mbevins1
Member
19 Points
27 Posts
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 04:38 PM|LINK
That is what I though but if I add <script>alert(1)</script> to it, it will display the javascript alert.
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 07:19 PM|LINK
Can you show how you're adding that?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mbevins1
Member
19 Points
27 Posts
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 09:15 PM|LINK
BrockAllen
All-Star
27554 Points
4912 Posts
MVP
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 09:17 PM|LINK
Yea, sounds like they're taking the value and then displaying it, so if they're the one displaying and they're not encoding then it's an issue. Since they're the ones displaying, I'd prefer to see them do the encoding, since it'd suck to have to encode every value you pass into them. But you might have to resort to that...
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mbevins1
Member
19 Points
27 Posts
Re: MVC3 Prevent XSS with entity framework
Jun 15, 2012 09:27 PM|LINK
Montago
Member
176 Points
90 Posts
Re: MVC3 Prevent XSS with entity framework
Jun 16, 2012 12:42 AM|LINK
Why dont you use the Sanitizer object ?
otherwize, call Server.HTMLEncode:
@Html.TextBox("FirstName", Server.HTMLEncode(Mocel.CustomerInfo.FirstName), new { @class = "text" })which ofcause is complete rubbish, because < turns to < and etc.
Microsoft Gold Partner