Preventing cross-site scripting in ASP.NET MVC - using jQuery or standard HtmlHelpers

Posted by user313353 on Stack Overflow See other posts from Stack Overflow or by user313353
Published on 2010-04-20T11:40:49Z Indexed on 2010/04/20 11:43 UTC
Read the original article Hit count: 239

Filed under:
|
|

I am building an ASP.NET MVC application that is AJAX-driven. For some reason I need to add some DOM elements on the fly when clicking a submit button. This is accomplished with jQuery.append().

One element inserted is a textarea, whose the data must be parse before submitting to ensure that no cross-site scripting can be done.

We know that the Html.Encode() works great but must be declared outside a script tag. All I have done with jQuery is embedded within a script tag.

1) Is there a way to take advantage of the Html.Encode() within a script tag?

2) How can I accomplish this with jQuery?

At worst I can use HttpUtility.HtmlEncode(), which is called on the server-side.

Thanks for your help.

Roland

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about mvc