Menu
Now that MVC has introduced HTML Encoding via
<%: blah %>
is there still value in using
<%= AntiXSS.HTMLEncode(blah) %>
instead?
For Example: My application will take all content in (including JavaScript) and store it in it's raw state in the database. I was planning on simply outputting everything using something like <%: model.Name %> and relying on the MVC "stuff" to do the encoding for me.
Is that method secure enough to rely on for AntiXSS, or do I need to explicitly use the AntiXSS Library? If I need to use the AntiXSS Library, can I ask why wouldn't that kind of thing be already built into MVC?
915
I don't think there's any real difference, but if you're really that concerned, you can use the AntiXss library as the default encoder for asp.net, as described in this article.
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
