Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Bind() or Eval() automatically HtmlEncode to protect against XSS?

Forgive me if this is a silly question. I haven't been able to find the answer stated explicitly.

I rarely use Bind() or Eval() in my aspx pages, and instead use the following syntax: (Assume this is in an ItemTemplate in a Repeater control)

<asp:Label id="lblFirstName" runat="server" Text='<%# Microsoft.Security.Application.AntiXss.HtmlEncode(DataBinder.Eval(Container.DataItem, "FirstName").ToString()) %>

I started doing this a long time ago and simply never questioned it, but now it occurs to me that this may be overkill. And now I'm using a CMS that uses this syntax all over the place:

<asp:Label id="lblFirstName" runat="server" Text='<%# Bind("FirstName") %>

So I'm wondering, basically, if I use Bind() or Eval() does the runtime automatically HtmlEncode the output? Have I been doing unnecessary coding all along?

like image 759
David Avatar asked Mar 26 '13 15:03

David


1 Answers

Bind() and Eval() do NOT do anything to prevent that type of thing and do not encode. Neither do the <%# %> style code blocks.

However, if you are using ASP.NET 4 and later you can use <%: %> Blocks to handle this for response write type situations and <%#: %> for data bind situations.

Scott Guthrie has a great post about this.

like image 73
Mitchel Sellers Avatar answered Nov 06 '22 23:11

Mitchel Sellers