tags:

views:

350

answers:

3
+1  Q: 

Should Html.Encode be called when building ActionLinks in ASP.NET MVC

If the name of a link is pulled from the database, should you be calling the Html.Encode method to clean the name?

For example:

Html.ActionLink(Model.PersonFromDB.FirstName,
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

or:

Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

It would make sense that you would want to do this to ensure that there are no dangerous strings injected into the page between <a> and </a> tags, but are scripts and such executable between anchor tags?

A: 

Yes, absolutely. As a general rule, for any HTML that you are going to output that was originally obtained from an untrusted source, assuming the format wasn't HTML already (and sufficiently vetted), you should always HTML encode the string to protect against injection attacks.

casperOne  2010-02-17 19:56:11
No. See http://stackoverflow.com/questions/2283920/should-html-encode-be-called-when-building-actionlinks-in-asp-net-mvc/2284022#2284022
bzlm  2010-04-13 14:47:34
A: 

It's certainly a good idea, but you should probably be preventing users from entering in potentially malicious strings as their first name.

Kevin Pang  2010-02-17 20:00:22
ASP.NET MVC has a feature that checks all input to see if you are attempting to input script or malicious text, so that's already in place.
Chris F  2010-02-17 20:04:36
I generally agree, but keep in mind that "potentially malicious" depends a lot on where the data will be _displayed_. For instance, "</form>" is not at all damaging when displayed on a paper report or a raw DB report, it's only an issue when displayed in HTML. Thus, it's ultimately the job of the _presentation layer_ to format the data according to its specific needs.
Seth Petry-Johnson  2010-02-17 20:05:26
+5  A: 

No, since according to this thread on SO HtmlAction.Link() already HTML encodes values, so you'd end up doing it twice.

Dan Diplo  2010-02-17 20:10:21
Correct; see `GenerateLinkInternal` in HtmlHelper.cs in the MVC 2 source code.
Craig Stuntz  2010-02-17 20:11:51

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data