Automatically escaping user output in ASP.NET MVC

By pushpam abhishek • •

Listen to this article

Automatically escaping user output in ASP.NET MVC

How do I automatically escape output in ASP.NET MVC?

In .NET 4 Microsoft added a new syntax <%: … %> which you might have started seeing in recent examples. This syntax is designed to replace the old <%= … %> syntax. The difference is that it automatically escapes output unless it comes from an HTML helper.

This makes the developers life a lot easier. Prior to .NET 4.0, you needed to remember when to use Html.Encode() to escape the output.

<%= Html.Encode(ViewData["name"]) %>
<%= Html.ActionLink("Home") %>

If you forgot you could leave your site vulnerable to cross-site scripting attacks. The following code is a security risk.

<%= ViewData["name"]) %>

With .NET 4 you can automatically escape the output by using the new syntax:
<%: ViewData["name"] %>
<%: Html.ActionLink("Home") %>

Now you no longer need to remember when to escape output and when not to.

Share this post

About pushpam abhishek

Pushpam Abhishek is a Software & web developer and designer who specializes in back-end as well as front-end development. If you'd like to connect with him, follow him on Twitter as @pushpambhshk

AdBlock Detected

Automatically escaping user output in ASP.NET MVC

How do I automatically escape output in ASP.NET MVC?

Share this post

About pushpam abhishek

Comments

AdBlock Detected

Saved Tutorials

Automatically escaping user output in ASP.NET MVC

How do I automatically escape output in ASP.NET MVC?

Share this post

About pushpam abhishek

You Might Also Like

Comments