Html encoding in MVC input_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-31 08:30 出处：网络

I\'m working through NerdDinner and I\'m a bit confused about the following section... First they\'ve added a form for creating a new dinner, with a bunch of textboxes delcared like:

I'm working through NerdDinner and I'm a bit confused about the following section...

First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:

<%= Html.TextArea("Description") %>

They then sho开发者_JS百科w two ways of binding form input to the model:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
    Dinner dinner = new Dinner();
    UpdateModel(dinner);
    ...
}

or:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }

Ok, great, that all looks really easy so far.

Then a bit later on they say:

It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks

Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

You generally (but not always) want to HTML encode the values before writing them out, typically in your views, but possibly from the controller as well.

Some info here: http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx