tags:

views:

34

answers:

1
+2  Q: 

Html encoding in MVC input

I'm working through NerdDinner and I'm a bit confused about the following section...

First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:

<%= Html.TextArea("Description") %>

They then show two ways of binding form input to the model:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
    Dinner dinner = new Dinner();
    UpdateModel(dinner);
    ...
}

or:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }

Ok, great, that all looks really easy so far.

Then a bit later on they say:

It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks

Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

+1  A: 

You generally (but not always) want to HTML encode the values before writing them out, typically in your views, but possibly from the controller as well.

Some info here: http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

RedFilter  2010-05-25 17:10:46
so it doesn't matter what I let the user enter into the form, as long as I don't output it again without encoding? I don't really know how HTML injection works.
fearofawhackplanet  2010-05-25 18:53:32
Yes. There are many types of cross-site scripting attacks, but a simple check on your own site is to try entering `<script>alert('XSS vulnerability')</script>` anywhere the user can enter data (including when creating their user name). If you see the alert popup (assuming you have javascript turned on), you'll have found a place that needs HTML encoding. It is best to HTML encode **all** output, and only remove that encoding when necessary.
RedFilter  2010-05-25 19:04:34
ok thanks orbman
fearofawhackplanet  2010-05-25 22:52:48

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data