string description where user can insert anything. MVC does HTML encoding but for some reason it does not encode ' (not very much liked by my insert sql)
[HttpPost]
Create(Model model)
if i debug here on model.Description i will find that a sentences "Pamela & Denise are hot girls, but Pamela's ass is the best" is encoded to "Pamela & Denise are hot girls, but Pamela's ass is the best" by MVC
if I have a string sentence = "Pamela & Denise are hot girls, but Pamela's ass is the best"
and do HttpUtility.HTMLEncode(sentence) i get
"Pamela & Denise are hot girls, but Pamela's ass is the best"
Is there any way to get MVC to encode ' correctly?
MVC is encoding correctly, you're the one that's not :)
So as you noticed, you only want to encode once, so you should only encode when rendering. Now this means you might be storing bad stuff in the DB so you should sanitize on the way in and store that. Here's a
recent post on the state of affiars with input sanitization.
Brock is correct, MVC is encoding it correctly. My guess is that you are doing something like this:
@model.description // this gives the correct result
@{
model.Description =HttpUtility.HtmlEncode(mode.description);
}
@model.description // this now shows '
The reason the second one shows ' is because you are double encoding, the @ automatically html encodes. Look at the source code, you'll find the standard mvc encode becomes ''' while the second becomes '''
Seems like i described my problem poorly. I try again.
Lets focus on the create method
[HttpPost]
Create(Model model)
if i debug here on model.Description i will find that a sentences "Pamela & Denise are hot girls, but Pamela's ass is the best" is encoded to "Pamela & Denise are hot girls, but Pamela's ass is the best" by MVC
if I have a string sentence = "Pamela & Denise are hot girls, but Pamela's ass is the best"
and do HttpUtility.HTMLEncode(sentence) i get
"Pamela & Denise are hot girls, but Pamela's ass is the best"
I am new to MVC and I in fact first did not know it did encode automagic, but when i realized that everything was double encoded when stored in to the db i started debugging and realized that MVC in fact do html encoding when storing and decoding if you
want to show date in a textbox when editing. Then i had to remove my encoding in controller, but then i was left with the ' that was not encoded.
//I want mvc to do this encoding: This is stupid code
presentation.Description = presentation.Description.Replace("'", "'");
presentation.Title = presentation.Title.Replace("'", "'");
try
{
using (ForumProxy proxy = new ForumProxy())
{
in fact first did not know it did encode automagic
Try
@Html.Raw(
I have no problem with presenting the values correctly, the problem as I describes is it the inconsistent whan when inputing data from textbox (editorfor) (I assume the input does not matter, it is the code that parses from httpPost to a object that does
this)
@Html.Raw is for presenting the values as it is (uses it serveral places)
MVC doesn't encode anything when model binding or saving data, the framework only html encodes when you display the data.
What does your view look like?
I think what's happening is that the data is that you are incorrectly encoding the data in the view, or it somehow was encoded in the database already, in which case you need to re-evalate the the process flow and not just focus on issue. I think saying
that you need mvc to simply do the encoding is oversimplifying your issue.
HomeCinemaGu...
Member
16 Points
11 Posts
Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 08:03 PM|LINK
Hi.
I have the following problem.
My model contains
string description where user can insert anything. MVC does HTML encoding but for some reason it does not encode ' (not very much liked by my insert sql)
[HttpPost]
Create(Model model)
if i debug here on model.Description i will find that a sentences "Pamela & Denise are hot girls, but Pamela's ass is the best" is encoded to "Pamela & Denise are hot girls, but Pamela's ass is the best" by MVC
if I have a string sentence = "Pamela & Denise are hot girls, but Pamela's ass is the best"
and do HttpUtility.HTMLEncode(sentence) i get
"Pamela & Denise are hot girls, but Pamela's ass is the best"
Is there any way to get MVC to encode ' correctly?
Thanks for any replaces
(problem has been updated to describe it better)
BrockAllen
All-Star
27434 Points
4891 Posts
MVP
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 08:34 PM|LINK
MVC is encoding correctly, you're the one that's not :)
So as you noticed, you only want to encode once, so you should only encode when rendering. Now this means you might be storing bad stuff in the DB so you should sanitize on the way in and store that. Here's a recent post on the state of affiars with input sanitization.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
CodeHobo
All-Star
18647 Points
2647 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 08:45 PM|LINK
Brock is correct, MVC is encoding it correctly. My guess is that you are doing something like this:
@model.description // this gives the correct result @{ model.Description =HttpUtility.HtmlEncode(mode.description); } @model.description // this now shows 'The reason the second one shows ' is because you are double encoding, the @ automatically html encodes. Look at the source code, you'll find the standard mvc encode becomes ''' while the second becomes '''
Blog | Twitter : @Hattan
HomeCinemaGu...
Member
16 Points
11 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 08:55 PM|LINK
Seems like i described my problem poorly. I try again.
Lets focus on the create method
[HttpPost]
Create(Model model)
if i debug here on model.Description i will find that a sentences "Pamela & Denise are hot girls, but Pamela's ass is the best" is encoded to "Pamela & Denise are hot girls, but Pamela's ass is the best" by MVC
if I have a string sentence = "Pamela & Denise are hot girls, but Pamela's ass is the best"
and do HttpUtility.HTMLEncode(sentence) i get
"Pamela & Denise are hot girls, but Pamela's ass is the best"
CodeHobo
All-Star
18647 Points
2647 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 09:11 PM|LINK
MVC HTML encodes when you write the data out to the view, it doesn't automatically html encode input variables upon form post.
Why don't you just post the entire code for you view and your controller so we can see what's going on?
Blog | Twitter : @Hattan
HomeCinemaGu...
Member
16 Points
11 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 20, 2012 09:21 PM|LINK
I am new to MVC and I in fact first did not know it did encode automagic, but when i realized that everything was double encoded when stored in to the db i started debugging and realized that MVC in fact do html encoding when storing and decoding if you want to show date in a textbox when editing. Then i had to remove my encoding in controller, but then i was left with the ' that was not encoded.
My code is very simple:
[HttpPost]
[ValidateInput(false)]
public ActionResult Edit(PresentationBE presentation)
{
HttpRequestBase request = HttpContext.Request;
//I want mvc to do this encoding: This is stupid code
presentation.Description = presentation.Description.Replace("'", "'");
presentation.Title = presentation.Title.Replace("'", "'");
try
{
using (ForumProxy proxy = new ForumProxy())
{
proxy.UpdatePresentation(presentation);
}
return Redirect("/");
}
catch
{
return View();
}
}
ignatandrei
All-Star
134491 Points
21566 Posts
Moderator
MVP
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 21, 2012 05:15 AM|LINK
Try
@Html.Raw(
HomeCinemaGu...
Member
16 Points
11 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 21, 2012 07:37 AM|LINK
I have no problem with presenting the values correctly, the problem as I describes is it the inconsistent whan when inputing data from textbox (editorfor) (I assume the input does not matter, it is the code that parses from httpPost to a object that does this)
@Html.Raw is for presenting the values as it is (uses it serveral places)
CodeHobo
All-Star
18647 Points
2647 Posts
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 21, 2012 08:01 PM|LINK
MVC doesn't encode anything when model binding or saving data, the framework only html encodes when you display the data.
What does your view look like?
I think what's happening is that the data is that you are incorrectly encoding the data in the view, or it somehow was encoded in the database already, in which case you need to re-evalate the the process flow and not just focus on issue. I think saying that you need mvc to simply do the encoding is oversimplifying your issue.
Blog | Twitter : @Hattan
ignatandrei
All-Star
134491 Points
21566 Posts
Moderator
MVP
Re: Difference in HTML encoding between MVC framework encoding and HttpUtility
Jul 21, 2012 08:07 PM|LINK
Could you give a simple example?