Wednesday, June 8, 2011

Finally HtmlEncoding syntax is coming to the databinding tag

In ASP.Net 4 MVC and WebForms, we currently have these two methods for automatically HtmlEncoding output without having to call HttpUtility.HtmlEncode(xxx)

1. @ (Mvc 3 Razor syntax)
2. <%: which both automatically html encode the output to help prevent against XSS (Cross Site Scripting) attacks. This was lacking for data binding syntax for example: 


<%# Eval("FirstName") %>
This above syntax had no html encoding and you specifically had to call it
<%# HttpUtility.HtmlEncode((string)Eval("FirstName")) %>

In the future you will be able to just:
<%#: Eval("FirstName") %>

This new syntax will be available in the next version of asp.net (4.1?)
Posted by at

1 comment:

  1. AnonymousJuly 14, 2014 at 6:15 PM

    Thank you for posting this very relevant article. Those who are in web development outsourcing will surely find this as informative. Cheers!

    ReplyDelete

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)