views:

434

answers:

2

In an Asp.net Mvc application all string output is unescaped by default either you remember to escape everything with HTTPUtility or you open yourself up to XSS attacks.

Now I'm a forgetful guy so I'm looking for a solution that helps me "not forget" to escape all my strings for me.

Can anybody share any techniques they've used make escaping all Asp.net MVC output easier?

A: 

I think you'll find that a lot of things aren't "built-in" to MVC, because that's sorta one of the core values of it: it's flexible enough to give you a lot of control, and therefore it expects you to do some things yourself.

However, check out MVCContrib, specifically FluentHtml; I believe it does encoding for you by default.

mgroves
+2  A: 

jfar, what you want is absolute possible, see this excellent blog post:

http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/

Steve Sanderson explains step-by-step how to change "<%=....>" behavior, overriding GenerateCodeFromStatement() method from CSharpCodeProvider class, that is a cool thing. cleans up a lot of HttpUtility.HtmlEncode calls and works pretty well with asp.net mvc.

Cleiton
From what I've read this seems like the best option until ASP.NET 4.0 comes out with the new <%: x %> syntax. See this link:http://haacked.com/archive/2009/09/25/html-encoding-code-nuggets.aspx
Eric Lathrop