Wednesday, June 8, 2011

Finally HtmlEncoding syntax is coming to the databinding tag

In ASP.Net 4 MVC and WebForms, we currently have these two methods for automatically HtmlEncoding output without having to call HttpUtility.HtmlEncode(xxx)

1. @ (Mvc 3 Razor syntax)
2. <%: which both automatically html encode the output to help prevent against XSS (Cross Site Scripting) attacks. This was lacking for data binding syntax for example:

<%# Eval("FirstName") %>
This above syntax had no html encoding and you specifically had to call it
<%# HttpUtility.HtmlEncode((string)Eval("FirstName")) %>

In the future you will be able to just:
<%#: Eval("FirstName") %>

This new syntax will be available in the next version of (4.1?)

1 comment:

  1. Thank you for posting this very relevant article. Those who are in web development outsourcing will surely find this as informative. Cheers!