Imperfect HTML-encoding in ASP.NET MVC?_问答_开发者

开发者 https://www.devze.com 2023-02-11 13:04 出处：网络

I\'m using the asp mvc 3. When I build my views using the default html-helpers there is a problem with html-encoding in tag-attributes: The \"greater-than\"-sign isn\'t encoded.

I'm using the asp mvc 3. When I build my views using the default html-helpers there is a problem with html-encoding in tag-attributes: The "greater-than"-sign isn't encoded.

So this code

<%: Html.TextBox("Test开发者_StackOverflowText", "<Test>") %>

produces this output

<input id="TestText" name="TestText" type="text" value="&lt;Test>" />

Is there any reason why the value-attribute isn't full encoded or is this a bug? Or is there any way how to use a full encoding even in tag-attributes?

Thanx, Michael

you misunderstood the <%: tag. The <%: tag only encodes normal string, not HtmlString as returned by Html.TextBox helper.

Example:

<%: Html.TextBox("TestText", "<Test>") %>
<%= Html.TextBox("TestText2", "<Test>") %>

Both statements return the same text value as mentioned in question. Now consider this statement.

<%: "<Test>" %>

This statement encodes, as now normal string is passed.

EDIT:

After checking the source code of MVC, HttpUtility.HtmlAttributeEncode is called under the hood. It minimally converts a string to an HTML-encoded string.

"<test>" is being HTML encoded. The greater-than character '>' by itself is harmless, which is why it wasn't converted into >