February 2010
Beginner
400 pages
11h 13m
English
Content preview from Introducing .NET 4.0: with Visual Studio 2010
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
10.11. HTML Encoding
All web developers should be aware that it is important to HTML-encode values that are output to prevent XSS attacks (particularly if you have received them from the user). ASP.NET 4.0 offers a new markup syntax that uses the colon character to tell ASP.NET to HTML-encode the expression:
<%: "<script>alert('I won\'t be run');</script>" %>
When ASP.NET parses this, it does the following:
<%= HttpUtility.HtmlEncode(YourVariableHere) %>
It is important to bear in mind that using this syntax may not negate all XSS attacks if you have complex nested HTML or JavaScript.
10.11.1. HtmlString
ASP.NET 4.0 includes the new HtmlString class that indicates an expression is already properly encoded and should not be reexamined. This ...