Should Html.Encode be called when building ActionLinks in ASP.NET MVC

Question

If the name of a link is pulled from the database, should you be calling the Html.Encode method to clean the name?

For example:

Html.ActionLink(Model.PersonFromDB.FirstName,
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

or:

Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

It would make sense that you would want to do this to ensure that there are no dangerous strings injected into the page between <a> and </a> tags, but are scripts and such executable between anchor tags?

I came across this site after posting the question and marking the answer, but I figure it's helpful to others who stumble onto this question: owasp.org/index.php/… — Chris F
– Chris F, Commented Feb 18, 2010 at 20:36

Community · Accepted Answer · 2017-05-23 12:26:46Z

6

No, since according to this thread on SO HtmlAction.Link() already HTML encodes values, so you'd end up doing it twice.

edited May 23, 2017 at 12:26

CommunityBot

11 silver badge

answered Feb 17, 2010 at 20:10

Dan Diplo

25.4k4 gold badges71 silver badges90 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

Craig Stuntz Over a year ago

Correct; see GenerateLinkInternal in HtmlHelper.cs in the MVC 2 source code.

Kevin Pang · Accepted Answer · 2010-02-17 20:00:22Z

0

It's certainly a good idea, but you should probably be preventing users from entering in potentially malicious strings as their first name.

answered Feb 17, 2010 at 20:00

Kevin Pang

41.5k38 gold badges123 silver badges173 bronze badges

2 Comments

Chris F Over a year ago

ASP.NET MVC has a feature that checks all input to see if you are attempting to input script or malicious text, so that's already in place.

Seth Petry-Johnson Over a year ago

I generally agree, but keep in mind that "potentially malicious" depends a lot on where the data will be displayed. For instance, "</form>" is not at all damaging when displayed on a paper report or a raw DB report, it's only an issue when displayed in HTML. Thus, it's ultimately the job of the presentation layer to format the data according to its specific needs.

casperOne · Accepted Answer · 2010-02-17 19:56:11Z

-1

Yes, absolutely. As a general rule, for any HTML that you are going to output that was originally obtained from an untrusted source, assuming the format wasn't HTML already (and sufficiently vetted), you should always HTML encode the string to protect against injection attacks.

answered Feb 17, 2010 at 19:56

casperOne

74.7k19 gold badges189 silver badges262 bronze badges

1 Comment

bzlm Over a year ago

No. See stackoverflow.com/questions/2283920/…

Collectives™ on Stack Overflow

Should Html.Encode be called when building ActionLinks in ASP.NET MVC

3 Answers 3

1 Comment

2 Comments

1 Comment

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

1 Comment

2 Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related