In ASP.NET 4, we can use the new <%: ... %>
operator to output HTML encoded strings. Is it possible to configure ASP.NET 4 (in web.config) so that the <%= ... %>
operator will also HTML encode strings?
views:
69answers:
2
+3
A:
No, fortunately.
If you configure it this way, your developers will get into the habit of using <%= ... %>
and not encoding.
If they subsequently work on a different (normal) project, they will end up forgetting to encode their output.
ASP.Net Razor does default to HTML encoding, because it doesn't have this issue.
(There is no Razor code you can switch to that won't encode by default)
SLaks
2010-08-04 18:38:32
+1
A:
Personally, I don't like this new <%:
syntax. I rather use <%= HttpUtility.HtmlEncode(
because it is much more explicit.
Besides this, it gives a false sense of security, because it only does HTML encoding. Look at this snippet for instance:
function myJavaScriptFunction()
{
var message = '<%: Person.LastComment %>';
alert(message);
}
It is not save, because it doesn't use the proper encoding. The following is safe:
function myJavaScriptFunction()
{
var message = '<%: AntiXss.JavaScriptEncode(Person.LastComment) %>';
alert(message);
}
Much more explicit.
Steven
2010-08-04 19:01:31
+1 for a fair a making a good point, but not exactly an answer to the question!
Damian Powell
2010-08-04 22:02:05