Html encoding in MVC input
- by fearofawhackplanet
I'm working through NerdDinner and I'm a bit confused about the following section...
First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:
<%= Html.TextArea("Description") %>
They then show two ways of binding form input to the model:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
Dinner dinner = new Dinner();
UpdateModel(dinner);
...
}
or:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }
Ok, great, that all looks really easy so far.
Then a bit later on they say:
It is important to always be paranoid
about security when accepting any user
input, and this is also true when
binding objects to form input. You
should be careful to always HTML
encode any user-entered values to
avoid HTML and JavaScript injection
attacks
Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?