Forgive me if this is a silly question. I haven't been able to find the answer stated explicitly.
I rarely use Bind() or Eval() in my aspx pages, and instead use the following syntax: (Assume this is in an ItemTemplate in a Repeater control)
<asp:Label id="lblFirstName" runat="server" Text='<%# Microsoft.Security.Application.AntiXss.HtmlEncode(DataBinder.Eval(Container.DataItem, "FirstName").ToString()) %>
I started doing this a long time ago and simply never questioned it, but now it occurs to me that this may be overkill. And now I'm using a CMS that uses this syntax all over the place:
<asp:Label id="lblFirstName" runat="server" Text='<%# Bind("FirstName") %>
So I'm wondering, basically, if I use Bind() or Eval() does the runtime automatically HtmlEncode the output? Have I been doing unnecessary coding all along?
Bind() and Eval() do NOT do anything to prevent that type of thing and do not encode. Neither do the <%# %>
style code blocks.
However, if you are using ASP.NET 4 and later you can use <%: %>
Blocks to handle this for response write type situations and <%#: %>
for data bind situations.
Scott Guthrie has a great post about this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With