If the name of a link is pulled from the database, should you be calling the Html.Encode method to clean the name?
For example:
Html.ActionLink(Model.PersonFromDB.FirstName,
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
or:
Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
It would make sense that you would want to do this to ensure that there are no dangerous strings injected into the page between <a>
and </a>
tags, but are scripts and such executable between anchor tags?