0

Good day!

I'd like to html encode all user input on the ASP.NET MVC 2 site but default. Can this be done anywhere on model binder level?

If I disable input validation for action -- I will need to html-encode every other value. If I keep ASP.NET request validation on -- it will throw erros "A potentially dangerous Request.Form value was detected from the client"

P.S. I do use encoding when outputting data (<%: %> syntax), but I'd like to encode everything on posting it too.

Thanks in advance!

Improve this question
5
  • 3
    Why? To just work around the 'potentially dangerous' error? That's the wrong way to do this - just disable that error if you're confident it's not needed. You'd need to do the encode in JavaScript before you submit the form and you can't rely on the client to run that script. Commented Mar 2, 2011 at 15:21
  • No, I'd like to perform HTML encoding by default on server for all my fields (and selectively allow it for some fields). The reason is that user can try to post HTML and he shouldn't get an error -- it will be better if he sees that HTML was encoded. Commented Mar 2, 2011 at 15:34
  • 1
    HTML encoding everything on the server makes absolutely non sense whatsoever. Don't do it, please. Use <%: %> or <%= Html.DisplayFor(x => x.Foo) %> and be happy. Commented Mar 2, 2011 at 16:43
  • 2
    Why do you want to encode user input? You need to encode the output. Commented Mar 2, 2011 at 17:24
  • encoring input is the best way .because once it is in database in encoded format we don't want to worry whenever it is outputted Commented Jun 2, 2011 at 6:45

2 Answers 2

Reset to default
1

Unfortunately XSS is an output problem, not an input problem. Running everything though an HTML encoder will not solve all your problems. There are many ways of obtaining xss without <>.

In general input should be validated just before use. You cannot predict how all input will be used, and you will end up corrupting data.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can override the DefaultModelBinder.

Improve this answer

1 Comment

P.S. I don't know why you want to do this, but it is certainly possible

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.