4

I'm using the asp mvc 3. When I build my views using the default html-helpers there is a problem with html-encoding in tag-attributes: The "greater-than"-sign isn't encoded.

So this code

<%: Html.TextBox("TestText", "<Test>") %>

produces this output

<input id="TestText" name="TestText" type="text" value="&lt;Test>" />

Is there any reason why the value-attribute isn't full encoded or is this a bug? Or is there any way how to use a full encoding even in tag-attributes?

Thanx, Michael

Improve this question

2 Answers 2

Reset to default
4

you misunderstood the <%: tag. The <%: tag only encodes normal string, not HtmlString as returned by Html.TextBox helper.

Example:

<%: Html.TextBox("TestText", "<Test>") %>
<%= Html.TextBox("TestText2", "<Test>") %>

Both statements return the same text value as mentioned in question. Now consider this statement.

<%: "<Test>" %>

This statement encodes, as now normal string is passed.

EDIT:

After checking the source code of MVC, HttpUtility.HtmlAttributeEncode is called under the hood. It minimally converts a string to an HTML-encoded string.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

No - I don't misunderstood the <%: tag resspectively the <%= tag. But I wonder why a <%: "<Test>" %> is encoded correctly while the value in my example is encoded to "&lt;Test>". I don't expect that the hole tag is encoded - I just expect that the value of an attribute is full encoded.
Thanx. That's what I was looking for - even if I don't understand why they don't use HtmlEncode. So I have to build my own helpers which do a full encoding.
1

"<test>" is being HTML encoded. The greater-than character '>' by itself is harmless, which is why it wasn't converted into &gt;

Improve this answer

2 Comments

Even it is harmless, I can't understand, why MS uses two encoding-types. The Server.HTMLEncode works as expected - but it seems that they use another function here. My problem is that every application we publish over the internet in our company must pass a security-check. And the guys doing this check rate this fragmental encoding as a vulnerability. And no chance to discuss this...
Maybe not worth waking up a very old thread, but MSDN says that HtmlEncode is orders of magnitude slower than HtmlAttributeEncode, which is why it is not used everywhere.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.