Html encoding in MVC input

Posted by fearofawhackplanet on Stack Overflow See other posts from Stack Overflow or by fearofawhackplanet
Published on 2010-05-25T17:01:27Z Indexed on 2010/05/25 17:11 UTC
Read the original article Hit count: 240

Filed under:

asp.net-mvc

|

web-security

|

htmlencode

I'm working through NerdDinner and I'm a bit confused about the following section...

First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:

<%= Html.TextArea("Description") %>

They then show two ways of binding form input to the model:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
    Dinner dinner = new Dinner();
    UpdateModel(dinner);
    ...
}

or:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }

Ok, great, that all looks really easy so far.

Then a bit later on they say:

It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks

Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Migrating ASP.NET MVC 1.0 applications to ASP.NET MVC 2 RTM

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Note: ASP.NET MVC 2 RTM isn’t yet released! But this tool will help you get your ASP.NET MVC 1.0 applications ready for when it is! I have updated the MVC App Converter to convert projects from ASP.NET MVC 1.0 to ASP.NET MVC 2 RTM. This should be last the last major change to the MVC App Converter… >>> More
ASP.NET MVC 3 Hosting :: New Features in ASP.NET MVC 3

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Razor View Engine The Razor view engine is a new view engine option for ASP.NET MVC that supports the Razor templating syntax. The Razor syntax is a streamlined approach to HTML templating designed with the goal of being a code driven minimalist templating approach that builds on existing C#, VB… >>> More
PathTooLongException after migrating from ASP.NET MVC 1 to ASP.NET MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
I had updated my app from MVC 1 to MVC 2. After that some pages throws PathTooLongException: [PathTooLongException: The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.] … >>> More
Differece between Asp.net MVC 1 and Asp.net MVC 2

as seen on Stack Overflow - Search for 'Stack Overflow'
what is differece between Asp.net MVC 1 and Asp.net MVC 2? >>> More
Top 5 reasons for using ASP.NET MVC 2 rather than ASP.NET MVC 1

as seen on Stack Overflow - Search for 'Stack Overflow'
I've been using ASP.NET MVC 1 for a while now, and am keen to take advantage of the improvements in MVC 2. Things like validation seem greatly improved, and strongly-typed HTML helper methods look great. So, for those of you who have real-world practical experience of using ASP.NET MVC 1 and are… >>> More

Related posts about web-security

System.Web.Security.FormsAuthentication.Encrypt returns null

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to encrypt some userData to create my own custom IPrincipal and IIdentity objects using Forms authentication - I've serialized an object representing my logged in user to Json and created my FormsAuthentication ticket like so: string user_item = GetJsonOfLoggedinUser();/*get JSON representation… >>> More
Google Releases Web Security Scanner

as seen on Devx - Search for 'Devx'
"Skipfish" helps developers test their Web apps for vulnerabilities. >>> More
Google Releases Web Security Scanner

as seen on Internet.com - Search for 'Internet.com'
"Skipfish" helps developers test their Web apps for vulnerabilities. >>> More
Web Security Threats on the Rise, Report Finds

as seen on Dot net Slackers - Search for 'Dot net Slackers'
It may not be Tony Soprano on the Web, but a new security report finds that wise-guy hackers have become increasingly organized....Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight… >>> More
Web Security: Worst-Case Situation

as seen on Stack Overflow - Search for 'Stack Overflow'
I currently have built a system that checks user IP, browser, and a random-string cookie to determine if he is an admin. In the worst case, someone steals my cookie, uses the same browser I do, and masks his IP to appear as mine. Is there another layer of security I should add onto my script to make… >>> More