[{"data":1,"prerenderedAt":1345},["ShallowReactive",2],{"blog:2007:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection":3,"blogMore-Development":1022,"comments-5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection":1035},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"category":11,"tags":12,"excerpt":18,"body":47,"_type":1013,"_id":1014,"_source":1015,"_file":1016,"_stem":1017,"_extension":1018,"url":1019,"wordCount":1020,"minutes":176,"commentCount":1021},"/blog/2007/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection","2007",false,"en","5 signs your ASP.NET application may be vulnerable to HTML injection","If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous.","2007-12-18T01:37:58+00:00","Development",[13,14,15,16,17],".NET","ASP.NET","security","C#","webdev",{"type":19,"children":20},"root",[21,33],{"type":22,"tag":23,"props":24,"children":25},"element","p",{},[26,29,31],{"type":27,"value":28},"text","If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are ",{"type":27,"value":30},"incredibly dangerous",{"type":27,"value":32},".",{"type":22,"tag":23,"props":34,"children":35},{},[36,38,45],{"type":27,"value":37},"Using MonoRail or Microsoft’s MVC does not make you automatically immune; use ",{"type":22,"tag":39,"props":40,"children":42},"code",{"className":41},[],[43],{"type":27,"value":44},"{! }",{"type":27,"value":46}," in MonoRail’s Brail engine and the HtmlHelpers in Microsoft’s MVC to ensure correct encoding.",{"type":19,"children":48,"toc":1005},[49,60,70,91,98,111,216,222,235,447,453,458,463,650,656,661,666,799,804,810,815,828,946,952,972,977,986,999],{"type":22,"tag":23,"props":50,"children":51},{},[52,53,59],{"type":27,"value":28},{"type":22,"tag":54,"props":55,"children":57},"a",{"href":56},"/blog/2007/how-dangerous-is-html-injection/",[58],{"type":27,"value":30},{"type":27,"value":32},{"type":22,"tag":23,"props":61,"children":62},{},[63,64,69],{"type":27,"value":37},{"type":22,"tag":39,"props":65,"children":67},{"className":66},[],[68],{"type":27,"value":44},{"type":27,"value":46},{"type":22,"tag":23,"props":71,"children":72},{},[73,75,81,83,89],{"type":27,"value":74},"Just imagine ",{"type":22,"tag":39,"props":76,"children":78},{"className":77},[],[79],{"type":27,"value":80},"post.Author ",{"type":27,"value":82},"contains ",{"type":22,"tag":39,"props":84,"children":86},{"className":85},[],[87],{"type":27,"value":88},"\">\u003Cscript src=\"http://abadsite.com\">\u003C/script>",{"type":27,"value":90}," after an unscrupulous user entered that into a field your application uses and it got into the database. The following typical ASP.NET techniques would leave you open.",{"type":22,"tag":92,"props":93,"children":95},"h2",{"id":94},"_1-you-use-or-tags-to-output-data",[96],{"type":27,"value":97},"1. You use \u003C%= %> or \u003C%# %> tags to output data",{"type":22,"tag":23,"props":99,"children":100},{},[101,103,109],{"type":27,"value":102},"Example showing outputting literals with ",{"type":22,"tag":39,"props":104,"children":106},{"className":105},[],[107],{"type":27,"value":108},"\u003C%= %>",{"type":27,"value":110}," :",{"type":22,"tag":112,"props":113,"children":118},"pre",{"className":114,"code":115,"language":116,"meta":117,"style":117},"language-jsx shiki shiki-themes everforest-light dracula","// Vulnerable\n\u003Cp>Posted by \u003C%= post.Author %>\u003C/p>\n// Secure\n\u003Cp>Posted by \u003C%= HttpUtility.HtmlEncode(post.Author) %>\u003C/p>\n","jsx","",[119],{"type":22,"tag":39,"props":120,"children":121},{"__ignoreMap":117},[122,134,174,183],{"type":22,"tag":123,"props":124,"children":127},"span",{"class":125,"line":126},"line",1,[128],{"type":22,"tag":123,"props":129,"children":131},{"style":130},"--shiki-default:#939F91;--shiki-default-font-style:italic;--shiki-dark:#6272A4;--shiki-dark-font-style:inherit",[132],{"type":27,"value":133},"// Vulnerable\n",{"type":22,"tag":123,"props":135,"children":137},{"class":125,"line":136},2,[138,144,149,154,160,165,169],{"type":22,"tag":123,"props":139,"children":141},{"style":140},"--shiki-default:#8DA101;--shiki-dark:#F8F8F2",[142],{"type":27,"value":143},"\u003C",{"type":22,"tag":123,"props":145,"children":147},{"style":146},"--shiki-default:#F57D26;--shiki-dark:#FF79C6",[148],{"type":27,"value":23},{"type":22,"tag":123,"props":150,"children":151},{"style":140},[152],{"type":27,"value":153},">",{"type":22,"tag":123,"props":155,"children":157},{"style":156},"--shiki-default:#5C6A72;--shiki-dark:#F8F8F2",[158],{"type":27,"value":159},"Posted by \u003C%= post.Author %>",{"type":22,"tag":123,"props":161,"children":162},{"style":140},[163],{"type":27,"value":164},"\u003C/",{"type":22,"tag":123,"props":166,"children":167},{"style":146},[168],{"type":27,"value":23},{"type":22,"tag":123,"props":170,"children":171},{"style":140},[172],{"type":27,"value":173},">\n",{"type":22,"tag":123,"props":175,"children":177},{"class":125,"line":176},3,[178],{"type":22,"tag":123,"props":179,"children":180},{"style":130},[181],{"type":27,"value":182},"// Secure\n",{"type":22,"tag":123,"props":184,"children":186},{"class":125,"line":185},4,[187,191,195,199,204,208,212],{"type":22,"tag":123,"props":188,"children":189},{"style":140},[190],{"type":27,"value":143},{"type":22,"tag":123,"props":192,"children":193},{"style":146},[194],{"type":27,"value":23},{"type":22,"tag":123,"props":196,"children":197},{"style":140},[198],{"type":27,"value":153},{"type":22,"tag":123,"props":200,"children":201},{"style":156},[202],{"type":27,"value":203},"Posted by \u003C%= HttpUtility.HtmlEncode(post.Author) %>",{"type":22,"tag":123,"props":205,"children":206},{"style":140},[207],{"type":27,"value":164},{"type":22,"tag":123,"props":209,"children":210},{"style":146},[211],{"type":27,"value":23},{"type":22,"tag":123,"props":213,"children":214},{"style":140},[215],{"type":27,"value":173},{"type":22,"tag":92,"props":217,"children":219},{"id":218},"_2-you-use-responsewrite",[220],{"type":27,"value":221},"2. You use Response.Write",{"type":22,"tag":23,"props":223,"children":224},{},[225,227,233],{"type":27,"value":226},"Example showing writing out attributes with Response.Write and String.Format, again post.Author could contain ",{"type":22,"tag":39,"props":228,"children":230},{"className":229},[],[231],{"type":27,"value":232},"\u003Cscript>",{"type":27,"value":234},":",{"type":22,"tag":112,"props":236,"children":240},{"className":237,"code":238,"language":239,"meta":117,"style":117},"language-csharp shiki shiki-themes everforest-light dracula","// Vulnerable\nResponse.Write(String.Format(\"\u003Cinput type=\\\"text\\\" value=\\\"{0}\\\" />\", post.Author);\n// Secure\nResponse.Write(String.Format(\"\u003Cinput type=\\\"text\\\" value=\\\"{0}\\\" />\", HttpUtility.HtmlAttributeEncode(post.Author));\n","csharp",[241],{"type":22,"tag":39,"props":242,"children":243},{"__ignoreMap":117},[244,251,349,356],{"type":22,"tag":123,"props":245,"children":246},{"class":125,"line":126},[247],{"type":22,"tag":123,"props":248,"children":249},{"style":130},[250],{"type":27,"value":133},{"type":22,"tag":123,"props":252,"children":253},{"class":125,"line":136},[254,259,265,270,275,280,286,292,298,302,306,311,315,320,324,329,333,338,344],{"type":22,"tag":123,"props":255,"children":256},{"style":156},[257],{"type":27,"value":258},"Response.",{"type":22,"tag":123,"props":260,"children":262},{"style":261},"--shiki-default:#8DA101;--shiki-dark:#50FA7B",[263],{"type":27,"value":264},"Write",{"type":22,"tag":123,"props":266,"children":267},{"style":156},[268],{"type":27,"value":269},"(String.",{"type":22,"tag":123,"props":271,"children":272},{"style":261},[273],{"type":27,"value":274},"Format",{"type":22,"tag":123,"props":276,"children":277},{"style":156},[278],{"type":27,"value":279},"(",{"type":22,"tag":123,"props":281,"children":283},{"style":282},"--shiki-default:#8DA101;--shiki-dark:#E9F284",[284],{"type":27,"value":285},"\"",{"type":22,"tag":123,"props":287,"children":289},{"style":288},"--shiki-default:#8DA101;--shiki-dark:#F1FA8C",[290],{"type":27,"value":291},"\u003Cinput type=",{"type":22,"tag":123,"props":293,"children":295},{"style":294},"--shiki-default:#DFA000;--shiki-dark:#FF79C6",[296],{"type":27,"value":297},"\\\"",{"type":22,"tag":123,"props":299,"children":300},{"style":288},[301],{"type":27,"value":27},{"type":22,"tag":123,"props":303,"children":304},{"style":294},[305],{"type":27,"value":297},{"type":22,"tag":123,"props":307,"children":308},{"style":288},[309],{"type":27,"value":310}," value=",{"type":22,"tag":123,"props":312,"children":313},{"style":294},[314],{"type":27,"value":297},{"type":22,"tag":123,"props":316,"children":317},{"style":288},[318],{"type":27,"value":319},"{0}",{"type":22,"tag":123,"props":321,"children":322},{"style":294},[323],{"type":27,"value":297},{"type":22,"tag":123,"props":325,"children":326},{"style":288},[327],{"type":27,"value":328}," />",{"type":22,"tag":123,"props":330,"children":331},{"style":282},[332],{"type":27,"value":285},{"type":22,"tag":123,"props":334,"children":335},{"style":156},[336],{"type":27,"value":337},", post.",{"type":22,"tag":123,"props":339,"children":341},{"style":340},"--shiki-default:#35A77C;--shiki-dark:#F8F8F2",[342],{"type":27,"value":343},"Author",{"type":22,"tag":123,"props":345,"children":346},{"style":156},[347],{"type":27,"value":348},");\n",{"type":22,"tag":123,"props":350,"children":351},{"class":125,"line":176},[352],{"type":22,"tag":123,"props":353,"children":354},{"style":130},[355],{"type":27,"value":182},{"type":22,"tag":123,"props":357,"children":358},{"class":125,"line":185},[359,363,367,371,375,379,383,387,391,395,399,403,407,411,415,419,423,428,433,438,442],{"type":22,"tag":123,"props":360,"children":361},{"style":156},[362],{"type":27,"value":258},{"type":22,"tag":123,"props":364,"children":365},{"style":261},[366],{"type":27,"value":264},{"type":22,"tag":123,"props":368,"children":369},{"style":156},[370],{"type":27,"value":269},{"type":22,"tag":123,"props":372,"children":373},{"style":261},[374],{"type":27,"value":274},{"type":22,"tag":123,"props":376,"children":377},{"style":156},[378],{"type":27,"value":279},{"type":22,"tag":123,"props":380,"children":381},{"style":282},[382],{"type":27,"value":285},{"type":22,"tag":123,"props":384,"children":385},{"style":288},[386],{"type":27,"value":291},{"type":22,"tag":123,"props":388,"children":389},{"style":294},[390],{"type":27,"value":297},{"type":22,"tag":123,"props":392,"children":393},{"style":288},[394],{"type":27,"value":27},{"type":22,"tag":123,"props":396,"children":397},{"style":294},[398],{"type":27,"value":297},{"type":22,"tag":123,"props":400,"children":401},{"style":288},[402],{"type":27,"value":310},{"type":22,"tag":123,"props":404,"children":405},{"style":294},[406],{"type":27,"value":297},{"type":22,"tag":123,"props":408,"children":409},{"style":288},[410],{"type":27,"value":319},{"type":22,"tag":123,"props":412,"children":413},{"style":294},[414],{"type":27,"value":297},{"type":22,"tag":123,"props":416,"children":417},{"style":288},[418],{"type":27,"value":328},{"type":22,"tag":123,"props":420,"children":421},{"style":282},[422],{"type":27,"value":285},{"type":22,"tag":123,"props":424,"children":425},{"style":156},[426],{"type":27,"value":427},", HttpUtility.",{"type":22,"tag":123,"props":429,"children":430},{"style":261},[431],{"type":27,"value":432},"HtmlAttributeEncode",{"type":22,"tag":123,"props":434,"children":435},{"style":156},[436],{"type":27,"value":437},"(post.",{"type":22,"tag":123,"props":439,"children":440},{"style":340},[441],{"type":27,"value":343},{"type":22,"tag":123,"props":443,"children":444},{"style":156},[445],{"type":27,"value":446},"));\n",{"type":22,"tag":92,"props":448,"children":450},{"id":449},"_3-you-set-href-or-src-on-htmlanchor-htmlimage-or-htmlnputimage-controls",[451],{"type":27,"value":452},"3. You set HRef or Src on HtmlAnchor, HtmlImage or HtmlnputImage controls",{"type":22,"tag":23,"props":454,"children":455},{},[456],{"type":27,"value":457},"In general the HtmlControls namespace are very well behaved with encoding but there is a bug in the code that attempts to adjust the relative url’s for href and src attributes which causes those properties to bypass encoding (I’ve reported this to Microsoft).",{"type":22,"tag":23,"props":459,"children":460},{},[461],{"type":27,"value":462},"Example showing anchor HRef attribute abuse:",{"type":22,"tag":112,"props":464,"children":466},{"className":237,"code":465,"language":239,"meta":117,"style":117},"// Vulnerable\noutputDiv.Controls.Add(new HtmlAnchor() { Text = \"Test\", HRef = post.Author } );\n// Secure\noutputDiv.Controls.Add(new HtmlAnchor() { Text = \"Test\", HRef = HttpUtility.HtmlAttributeEncode(post.Author) } );\n",[467],{"type":22,"tag":39,"props":468,"children":469},{"__ignoreMap":117},[470,477,562,569],{"type":22,"tag":123,"props":471,"children":472},{"class":125,"line":126},[473],{"type":22,"tag":123,"props":474,"children":475},{"style":130},[476],{"type":27,"value":133},{"type":22,"tag":123,"props":478,"children":479},{"class":125,"line":136},[480,485,490,494,499,503,509,515,520,525,530,535,539,544,548,553,557],{"type":22,"tag":123,"props":481,"children":482},{"style":156},[483],{"type":27,"value":484},"outputDiv.",{"type":22,"tag":123,"props":486,"children":487},{"style":340},[488],{"type":27,"value":489},"Controls",{"type":22,"tag":123,"props":491,"children":492},{"style":156},[493],{"type":27,"value":32},{"type":22,"tag":123,"props":495,"children":496},{"style":261},[497],{"type":27,"value":498},"Add",{"type":22,"tag":123,"props":500,"children":501},{"style":156},[502],{"type":27,"value":279},{"type":22,"tag":123,"props":504,"children":506},{"style":505},"--shiki-default:#F85552;--shiki-dark:#FF79C6",[507],{"type":27,"value":508},"new",{"type":22,"tag":123,"props":510,"children":512},{"style":511},"--shiki-default:#3A94C5;--shiki-default-font-style:inherit;--shiki-dark:#8BE9FD;--shiki-dark-font-style:italic",[513],{"type":27,"value":514}," HtmlAnchor",{"type":22,"tag":123,"props":516,"children":517},{"style":156},[518],{"type":27,"value":519},"() { Text ",{"type":22,"tag":123,"props":521,"children":522},{"style":146},[523],{"type":27,"value":524},"=",{"type":22,"tag":123,"props":526,"children":527},{"style":282},[528],{"type":27,"value":529}," \"",{"type":22,"tag":123,"props":531,"children":532},{"style":288},[533],{"type":27,"value":534},"Test",{"type":22,"tag":123,"props":536,"children":537},{"style":282},[538],{"type":27,"value":285},{"type":22,"tag":123,"props":540,"children":541},{"style":156},[542],{"type":27,"value":543},", HRef ",{"type":22,"tag":123,"props":545,"children":546},{"style":146},[547],{"type":27,"value":524},{"type":22,"tag":123,"props":549,"children":550},{"style":156},[551],{"type":27,"value":552}," post.",{"type":22,"tag":123,"props":554,"children":555},{"style":340},[556],{"type":27,"value":343},{"type":22,"tag":123,"props":558,"children":559},{"style":156},[560],{"type":27,"value":561}," } );\n",{"type":22,"tag":123,"props":563,"children":564},{"class":125,"line":176},[565],{"type":22,"tag":123,"props":566,"children":567},{"style":130},[568],{"type":27,"value":182},{"type":22,"tag":123,"props":570,"children":571},{"class":125,"line":185},[572,576,580,584,588,592,596,600,604,608,612,616,620,624,628,633,637,641,645],{"type":22,"tag":123,"props":573,"children":574},{"style":156},[575],{"type":27,"value":484},{"type":22,"tag":123,"props":577,"children":578},{"style":340},[579],{"type":27,"value":489},{"type":22,"tag":123,"props":581,"children":582},{"style":156},[583],{"type":27,"value":32},{"type":22,"tag":123,"props":585,"children":586},{"style":261},[587],{"type":27,"value":498},{"type":22,"tag":123,"props":589,"children":590},{"style":156},[591],{"type":27,"value":279},{"type":22,"tag":123,"props":593,"children":594},{"style":505},[595],{"type":27,"value":508},{"type":22,"tag":123,"props":597,"children":598},{"style":511},[599],{"type":27,"value":514},{"type":22,"tag":123,"props":601,"children":602},{"style":156},[603],{"type":27,"value":519},{"type":22,"tag":123,"props":605,"children":606},{"style":146},[607],{"type":27,"value":524},{"type":22,"tag":123,"props":609,"children":610},{"style":282},[611],{"type":27,"value":529},{"type":22,"tag":123,"props":613,"children":614},{"style":288},[615],{"type":27,"value":534},{"type":22,"tag":123,"props":617,"children":618},{"style":282},[619],{"type":27,"value":285},{"type":22,"tag":123,"props":621,"children":622},{"style":156},[623],{"type":27,"value":543},{"type":22,"tag":123,"props":625,"children":626},{"style":146},[627],{"type":27,"value":524},{"type":22,"tag":123,"props":629,"children":630},{"style":156},[631],{"type":27,"value":632}," HttpUtility.",{"type":22,"tag":123,"props":634,"children":635},{"style":261},[636],{"type":27,"value":432},{"type":22,"tag":123,"props":638,"children":639},{"style":156},[640],{"type":27,"value":437},{"type":22,"tag":123,"props":642,"children":643},{"style":340},[644],{"type":27,"value":343},{"type":22,"tag":123,"props":646,"children":647},{"style":156},[648],{"type":27,"value":649},") } );\n",{"type":22,"tag":92,"props":651,"children":653},{"id":652},"_4-you-set-the-text-property-of-webcontrolswebforms",[654],{"type":27,"value":655},"4. You set the Text property of WebControls/WebForms",{"type":22,"tag":23,"props":657,"children":658},{},[659],{"type":27,"value":660},"You would imagine the high-level WebForms controls would take care of encoding and you’d be wrong.",{"type":22,"tag":23,"props":662,"children":663},{},[664],{"type":27,"value":665},"Example showing the Label control being so easily taken advantage of:",{"type":22,"tag":112,"props":667,"children":669},{"className":237,"code":668,"language":239,"meta":117,"style":117},"// Vulnerable\noutputDiv.Controls.Add(new Label() { Text = post.Author } );\n// Secure\noutputDiv.Controls.Add(new Label() { Text = HttpUtility.HtmlEncode(post.Author) } );\n",[670],{"type":22,"tag":39,"props":671,"children":672},{"__ignoreMap":117},[673,680,732,739],{"type":22,"tag":123,"props":674,"children":675},{"class":125,"line":126},[676],{"type":22,"tag":123,"props":677,"children":678},{"style":130},[679],{"type":27,"value":133},{"type":22,"tag":123,"props":681,"children":682},{"class":125,"line":136},[683,687,691,695,699,703,707,712,716,720,724,728],{"type":22,"tag":123,"props":684,"children":685},{"style":156},[686],{"type":27,"value":484},{"type":22,"tag":123,"props":688,"children":689},{"style":340},[690],{"type":27,"value":489},{"type":22,"tag":123,"props":692,"children":693},{"style":156},[694],{"type":27,"value":32},{"type":22,"tag":123,"props":696,"children":697},{"style":261},[698],{"type":27,"value":498},{"type":22,"tag":123,"props":700,"children":701},{"style":156},[702],{"type":27,"value":279},{"type":22,"tag":123,"props":704,"children":705},{"style":505},[706],{"type":27,"value":508},{"type":22,"tag":123,"props":708,"children":709},{"style":511},[710],{"type":27,"value":711}," Label",{"type":22,"tag":123,"props":713,"children":714},{"style":156},[715],{"type":27,"value":519},{"type":22,"tag":123,"props":717,"children":718},{"style":146},[719],{"type":27,"value":524},{"type":22,"tag":123,"props":721,"children":722},{"style":156},[723],{"type":27,"value":552},{"type":22,"tag":123,"props":725,"children":726},{"style":340},[727],{"type":27,"value":343},{"type":22,"tag":123,"props":729,"children":730},{"style":156},[731],{"type":27,"value":561},{"type":22,"tag":123,"props":733,"children":734},{"class":125,"line":176},[735],{"type":22,"tag":123,"props":736,"children":737},{"style":130},[738],{"type":27,"value":182},{"type":22,"tag":123,"props":740,"children":741},{"class":125,"line":185},[742,746,750,754,758,762,766,770,774,778,782,787,791,795],{"type":22,"tag":123,"props":743,"children":744},{"style":156},[745],{"type":27,"value":484},{"type":22,"tag":123,"props":747,"children":748},{"style":340},[749],{"type":27,"value":489},{"type":22,"tag":123,"props":751,"children":752},{"style":156},[753],{"type":27,"value":32},{"type":22,"tag":123,"props":755,"children":756},{"style":261},[757],{"type":27,"value":498},{"type":22,"tag":123,"props":759,"children":760},{"style":156},[761],{"type":27,"value":279},{"type":22,"tag":123,"props":763,"children":764},{"style":505},[765],{"type":27,"value":508},{"type":22,"tag":123,"props":767,"children":768},{"style":511},[769],{"type":27,"value":711},{"type":22,"tag":123,"props":771,"children":772},{"style":156},[773],{"type":27,"value":519},{"type":22,"tag":123,"props":775,"children":776},{"style":146},[777],{"type":27,"value":524},{"type":22,"tag":123,"props":779,"children":780},{"style":156},[781],{"type":27,"value":632},{"type":22,"tag":123,"props":783,"children":784},{"style":261},[785],{"type":27,"value":786},"HtmlEncode",{"type":22,"tag":123,"props":788,"children":789},{"style":156},[790],{"type":27,"value":437},{"type":22,"tag":123,"props":792,"children":793},{"style":340},[794],{"type":27,"value":343},{"type":22,"tag":123,"props":796,"children":797},{"style":156},[798],{"type":27,"value":649},{"type":22,"tag":23,"props":800,"children":801},{},[802],{"type":27,"value":803},"The one exception to this is the Text property of input controls, as they put the value into an attribute and therefore call HttpUtility.HtmlAttributeEncode for you.",{"type":22,"tag":92,"props":805,"children":807},{"id":806},"_5-you-use-the-literalcontrol",[808],{"type":27,"value":809},"5. You use the LiteralControl",{"type":22,"tag":23,"props":811,"children":812},{},[813],{"type":27,"value":814},"LiteralControl is a useful control for adding text to the output stream that doesn’t require it’s own tag. It also helpfully, and uncharacteristically, provides a useful constructor. Unfortunately it fails encode the output.",{"type":22,"tag":23,"props":816,"children":817},{},[818,820,826],{"type":27,"value":819},"Example showing poor ",{"type":22,"tag":39,"props":821,"children":823},{"className":822},[],[824],{"type":27,"value":825},"LiteralControl",{"type":27,"value":827}," wide open:",{"type":22,"tag":112,"props":829,"children":831},{"className":237,"code":830,"language":239,"meta":117,"style":117},"// Vulnerable\noutputDiv.Controls.Add(new LiteralControl(post.Author));\n// Secure\noutputDiv.Controls.Add(new LiteralControl(HttpUtility.HtmlEncode(post.Author)));\n",[832],{"type":22,"tag":39,"props":833,"children":834},{"__ignoreMap":117},[835,842,886,893],{"type":22,"tag":123,"props":836,"children":837},{"class":125,"line":126},[838],{"type":22,"tag":123,"props":839,"children":840},{"style":130},[841],{"type":27,"value":133},{"type":22,"tag":123,"props":843,"children":844},{"class":125,"line":136},[845,849,853,857,861,865,869,874,878,882],{"type":22,"tag":123,"props":846,"children":847},{"style":156},[848],{"type":27,"value":484},{"type":22,"tag":123,"props":850,"children":851},{"style":340},[852],{"type":27,"value":489},{"type":22,"tag":123,"props":854,"children":855},{"style":156},[856],{"type":27,"value":32},{"type":22,"tag":123,"props":858,"children":859},{"style":261},[860],{"type":27,"value":498},{"type":22,"tag":123,"props":862,"children":863},{"style":156},[864],{"type":27,"value":279},{"type":22,"tag":123,"props":866,"children":867},{"style":505},[868],{"type":27,"value":508},{"type":22,"tag":123,"props":870,"children":871},{"style":511},[872],{"type":27,"value":873}," LiteralControl",{"type":22,"tag":123,"props":875,"children":876},{"style":156},[877],{"type":27,"value":437},{"type":22,"tag":123,"props":879,"children":880},{"style":340},[881],{"type":27,"value":343},{"type":22,"tag":123,"props":883,"children":884},{"style":156},[885],{"type":27,"value":446},{"type":22,"tag":123,"props":887,"children":888},{"class":125,"line":176},[889],{"type":22,"tag":123,"props":890,"children":891},{"style":130},[892],{"type":27,"value":182},{"type":22,"tag":123,"props":894,"children":895},{"class":125,"line":185},[896,900,904,908,912,916,920,924,929,933,937,941],{"type":22,"tag":123,"props":897,"children":898},{"style":156},[899],{"type":27,"value":484},{"type":22,"tag":123,"props":901,"children":902},{"style":340},[903],{"type":27,"value":489},{"type":22,"tag":123,"props":905,"children":906},{"style":156},[907],{"type":27,"value":32},{"type":22,"tag":123,"props":909,"children":910},{"style":261},[911],{"type":27,"value":498},{"type":22,"tag":123,"props":913,"children":914},{"style":156},[915],{"type":27,"value":279},{"type":22,"tag":123,"props":917,"children":918},{"style":505},[919],{"type":27,"value":508},{"type":22,"tag":123,"props":921,"children":922},{"style":511},[923],{"type":27,"value":873},{"type":22,"tag":123,"props":925,"children":926},{"style":156},[927],{"type":27,"value":928},"(HttpUtility.",{"type":22,"tag":123,"props":930,"children":931},{"style":261},[932],{"type":27,"value":786},{"type":22,"tag":123,"props":934,"children":935},{"style":156},[936],{"type":27,"value":437},{"type":22,"tag":123,"props":938,"children":939},{"style":340},[940],{"type":27,"value":343},{"type":22,"tag":123,"props":942,"children":943},{"style":156},[944],{"type":27,"value":945},")));\n",{"type":22,"tag":92,"props":947,"children":949},{"id":948},"warning-do-not",[950],{"type":27,"value":951},"Warning! Do not:",{"type":22,"tag":953,"props":954,"children":955},"ol",{},[956,962,967],{"type":22,"tag":957,"props":958,"children":959},"li",{},[960],{"type":27,"value":961},"Encode data in the database: your contaminated data will be difficult to use elsewhere and will end up double-encoded",{"type":22,"tag":957,"props":963,"children":964},{},[965],{"type":27,"value":966},"Look for script on submit: you won’t catch every combination and it might prevent valid data",{"type":22,"tag":957,"props":968,"children":969},{},[970],{"type":27,"value":971},"Trap entry with client-side code: it is trivially bypassed",{"type":22,"tag":23,"props":973,"children":974},{},[975],{"type":27,"value":976},"Just encode the output.",{"type":22,"tag":23,"props":978,"children":979},{},[980],{"type":22,"tag":981,"props":982,"children":983},"em",{},[984],{"type":27,"value":985},"[)amien",{"type":22,"tag":23,"props":987,"children":988},{},[989,991,997],{"type":27,"value":990},"PS: The samples use ",{"type":22,"tag":54,"props":992,"children":994},{"href":993},"/blog/2007/object-initializers-in-net-35/",[995],{"type":27,"value":996},".NET 3.5 object initializer syntax",{"type":27,"value":998}," for brevity as many affected controls do not have useful constructors",{"type":22,"tag":1000,"props":1001,"children":1002},"style",{},[1003],{"type":27,"value":1004},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":117,"searchDepth":136,"depth":136,"links":1006},[1007,1008,1009,1010,1011,1012],{"id":94,"depth":136,"text":97},{"id":218,"depth":136,"text":221},{"id":449,"depth":136,"text":452},{"id":652,"depth":136,"text":655},{"id":806,"depth":136,"text":809},{"id":948,"depth":136,"text":951},"markdown","content:blog:2007:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection.md","content","blog/2007/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection.md","blog/2007/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection","md","/blog/2007/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/",611,12,[1023,1027,1031],{"title":1024,"date":1025,"url":1026},"HTML5 Video Cheatsheet: Optimizing videos for the web","2025-12-05T00:00:00Z","/blog/2025/html5-video-cheatsheet/",{"title":1028,"date":1029,"url":1030},"Transactions in the MongoDB EF Core Provider","2025-10-25","/blog/2025/mongodb-explicit-transactions/",{"title":1032,"date":1033,"url":1034},"Queryable Encryption with the MongoDB EF Core Provider","2025-09-22","/blog/2025/mongodb-queryable-encryption/",[1036,1057,1078,1125,1146,1182,1207,1227,1249,1270,1292,1325],{"_path":1037,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1039,"description":1040,"id":1041,"name":1042,"email":1043,"avatar":1044,"date":1045,"body":1046,"_type":1013,"_id":1054,"_source":1015,"_file":1055,"_stem":1056,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/11169","5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection","11169","Damien,\nWhen you say \"You would imagine the high-level WebForms controls would take care of encoding and you'd be wrong.\". Is there a list of controls that are vulnerable and a list of controls that are not?",11169,"Amit","amit.patankar@gmail.com","https://www.gravatar.com/avatar/8c5172a83b1e86c7a4cd3e0044a8ada9?r=pg&d=retro","2009-02-11T19:01:34",{"type":19,"children":1047,"toc":1052},[1048],{"type":22,"tag":23,"props":1049,"children":1050},{},[1051],{"type":27,"value":1040},{"title":117,"searchDepth":136,"depth":136,"links":1053},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:11169.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/11169.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/11169",{"_path":1058,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1059,"description":1060,"id":1061,"name":1062,"email":1063,"avatar":1064,"url":1065,"date":1066,"body":1067,"_type":1013,"_id":1075,"_source":1015,"_file":1076,"_stem":1077,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5653","5653","great article, i like the ideas in it\na kick from me ;)",5653,"Fady Anwar","fady.anwar@gmail.com","https://www.gravatar.com/avatar/55646dc5c1d0268d3ae2568b45441816?r=pg&d=retro","https://barmagy.com/blogs/infinite_loop/default.aspx","2007-12-19T12:57:42",{"type":19,"children":1068,"toc":1073},[1069],{"type":22,"tag":23,"props":1070,"children":1071},{},[1072],{"type":27,"value":1060},{"title":117,"searchDepth":136,"depth":136,"links":1074},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5653.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5653.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5653",{"_path":1079,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1080,"description":1081,"id":1082,"name":1083,"email":1084,"avatar":1085,"url":1086,"date":1087,"body":1088,"_type":1013,"_id":1122,"_source":1015,"_file":1123,"_stem":1124,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5647","5647","It should be encoded regardless of where it came from or whether it is believed to be safe. The only exception is data you expect to contain HTML and are going to sanitize to ensure only has the HTML you like.",5647,"Damien Guard","damien@envytech.co.uk","https://www.gravatar.com/avatar/dc72963e7279d34c85ed4c0b731ce5a9?r=pg&d=retro","https://damieng.com/","2007-12-19T07:41:18",{"type":19,"children":1089,"toc":1120},[1090,1094,1099],{"type":22,"tag":23,"props":1091,"children":1092},{},[1093],{"type":27,"value":1081},{"type":22,"tag":23,"props":1095,"children":1096},{},[1097],{"type":27,"value":1098},"One example I've seen is blogging software that fails to encode blog post titles because they are 'safe' in that they are only entered by the blogging author.",{"type":22,"tag":23,"props":1100,"children":1101},{},[1102,1104,1110,1112,1118],{"type":27,"value":1103},"You create a blog post called \"Using ",{"type":22,"tag":39,"props":1105,"children":1107},{"className":1106},[],[1108],{"type":27,"value":1109},"List\u003CT>",{"type":27,"value":1111}," for collections\" and it shows up with \"Using ",{"type":22,"tag":39,"props":1113,"children":1115},{"className":1114},[],[1116],{"type":27,"value":1117},"List",{"type":27,"value":1119}," for collections\", causes the page to fail validation and breaks the RSS feed.",{"title":117,"searchDepth":136,"depth":136,"links":1121},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5647.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5647.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5647",{"_path":1126,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1127,"description":1128,"id":1129,"name":1130,"email":1131,"avatar":1132,"url":1133,"date":1134,"body":1135,"_type":1013,"_id":1143,"_source":1015,"_file":1144,"_stem":1145,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5644","5644","But that's not really 5 signs --- It's really just one sign --- because , Response.Write, HtmlAnchor et al aren't the problem.  The problem is post.Author.  If it comes from a trusted source (i.e., you typed it in yourself), it's save to output directly.  If it comes from anywhere else (notably user input), then it must be encoded.",5644,"James Curran","jamescurran@mvps.org","https://www.gravatar.com/avatar/98df3c7cc17f088af555c5accbdb2509?r=pg&d=retro","https://www.honestillusion.com","2007-12-19T02:29:57",{"type":19,"children":1136,"toc":1141},[1137],{"type":22,"tag":23,"props":1138,"children":1139},{},[1140],{"type":27,"value":1128},{"title":117,"searchDepth":136,"depth":136,"links":1142},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5644.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5644.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5644",{"_path":1147,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1148,"description":1149,"id":1150,"name":1083,"email":1084,"avatar":1085,"url":1086,"date":1151,"body":1152,"_type":1013,"_id":1179,"_source":1015,"_file":1180,"_stem":1181,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5638","5638","Lol, I think that WordPress is determining that might be dangerous. Dave was, I think, mentioning the \u003Cpage validateRequest=\"true\" /> option in web.config that tries to prevent your application accepting script from the user.",5638,"2007-12-18T18:51:55",{"type":19,"children":1153,"toc":1177},[1154,1167,1172],{"type":22,"tag":23,"props":1155,"children":1156},{},[1157,1159,1165],{"type":27,"value":1158},"Lol, I think that WordPress is determining that might be dangerous. Dave was, I think, mentioning the ",{"type":22,"tag":39,"props":1160,"children":1162},{"className":1161},[],[1163],{"type":27,"value":1164},"\u003Cpage validateRequest=\"true\" />",{"type":27,"value":1166}," option in web.config that tries to prevent your application accepting script from the user.",{"type":22,"tag":23,"props":1168,"children":1169},{},[1170],{"type":27,"value":1171},"This is all well and good but if there are other ways to get data into your database (links with other company systems, web services, message pumps or even internal WinForms apps) then those too can be avenues for attack.",{"type":22,"tag":23,"props":1173,"children":1174},{},[1175],{"type":27,"value":1176},"Many attacks happen from the inside and anyone with access to the SQL box or a WinForms app could be the one putting the payload there ready for your application to deliver up to unsuspecting users.",{"title":117,"searchDepth":136,"depth":136,"links":1178},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5638.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5638.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5638",{"_path":1183,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1184,"description":1185,"id":1186,"name":1187,"email":1188,"avatar":1189,"date":1190,"body":1191,"_type":1013,"_id":1204,"_source":1015,"_file":1205,"_stem":1206,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5637","5637","So...",5637,"Dave","hikingdave@hotmail.com","https://www.gravatar.com/avatar/b857b751eef3cc9c36652f70a511289c?r=pg&d=retro","2007-12-18T16:51:41",{"type":19,"children":1192,"toc":1202},[1193,1197],{"type":22,"tag":23,"props":1194,"children":1195},{},[1196],{"type":27,"value":1185},{"type":22,"tag":23,"props":1198,"children":1199},{},[1200],{"type":27,"value":1201},"By saying ASP.NET does nothing for you, are you implying that putting a \"\" section  into your web.config isn't working anymore for some reason?\nIt certainly isn't fool-proof, but it gives a huge head-start getting around the issues you are describing.",{"title":117,"searchDepth":136,"depth":136,"links":1203},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5637.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5637.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5637",{"_path":1208,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1209,"description":1210,"id":1211,"name":1212,"email":1213,"avatar":1214,"date":1215,"body":1216,"_type":1013,"_id":1224,"_source":1015,"_file":1225,"_stem":1226,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5634","5634","Great article, I have always encoded entries into the db but never encoded the output from the DB. After reading this I was like \"duh!! why didn't I think if that\". I wonder if someone could make an Ajax extender for a textbox that automatically encodes the output. Thanks again, Scott",5634,"ScottB","sbosarge@comcast.net","https://www.gravatar.com/avatar/41f6d1feac912491e2498140387e30f7?r=pg&d=retro","2007-12-18T15:59:06",{"type":19,"children":1217,"toc":1222},[1218],{"type":22,"tag":23,"props":1219,"children":1220},{},[1221],{"type":27,"value":1210},{"title":117,"searchDepth":136,"depth":136,"links":1223},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5634.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5634.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5634",{"_path":1228,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1229,"description":1230,"id":1231,"name":1083,"email":1084,"avatar":1085,"url":1086,"date":1232,"body":1233,"_type":1013,"_id":1246,"_source":1015,"_file":1247,"_stem":1248,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5630","5630","Yeah I agree with you here and have to conceed that JSF/JSP did the right thing.",5630,"2007-12-18T13:43:16",{"type":19,"children":1234,"toc":1244},[1235,1239],{"type":22,"tag":23,"props":1236,"children":1237},{},[1238],{"type":27,"value":1230},{"type":22,"tag":23,"props":1240,"children":1241},{},[1242],{"type":27,"value":1243},"Microsoft almost got it right with the HtmlControls but for that bug I found.",{"title":117,"searchDepth":136,"depth":136,"links":1245},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5630.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5630.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5630",{"_path":1250,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1251,"description":1252,"id":1253,"name":1254,"email":1255,"avatar":1256,"url":1257,"date":1258,"body":1259,"_type":1013,"_id":1267,"_source":1015,"_file":1268,"_stem":1269,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5629","5629","And interestingly, I think shortcuts like {! have a downside. Sure it's quicker to type, but it does nothing to remind you that you should be using it. And, it's arguably harder to spot a missing ! when you're reviewing code than it is to miss a missing explicit encoding/escaping method call. I don't think shortcuts are the answer at all, making safety the default is much more robust.",5629,"steve","steve@stevestreeting.com","https://www.gravatar.com/avatar/fbe8cc9ac5bc8797382e01e10f5f8e33?r=pg&d=retro","https://www.stevestreeting.com","2007-12-18T12:29:50",{"type":19,"children":1260,"toc":1265},[1261],{"type":22,"tag":23,"props":1262,"children":1263},{},[1264],{"type":27,"value":1252},{"title":117,"searchDepth":136,"depth":136,"links":1266},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5629.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5629.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5629",{"_path":1271,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1272,"description":1273,"id":1274,"name":1254,"email":1255,"avatar":1256,"url":1257,"date":1275,"body":1276,"_type":1013,"_id":1289,"_source":1015,"_file":1290,"_stem":1291,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5628","5628","I wonder why escaping (or encoding if you prefer) the HTML isn't the default on the higher-level constructs. I can understand why the low-level ASP output methods don't do it, but IMO higher level frameworks should always default to safe behaviour. Having to remember to explicitly escape is a huge pain the ass.",5628,"2007-12-18T12:25:30",{"type":19,"children":1277,"toc":1287},[1278,1282],{"type":22,"tag":23,"props":1279,"children":1280},{},[1281],{"type":27,"value":1273},{"type":22,"tag":23,"props":1283,"children":1284},{},[1285],{"type":27,"value":1286},"I know everyone except me reading your blog hates Java, but again JSF demonstrates good practice here, by defaulting to escaping HTML. Since JSF is a common building block for most serious Java web software, the result is that most people building using it will have at least that minimum requirement covered without having to keep reminding themselves. I think the MVC framework, or some intermediate view component for ASP (as JSF is to JSP) should do the same.",{"title":117,"searchDepth":136,"depth":136,"links":1288},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5628.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5628.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5628",{"_path":1293,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1294,"description":1295,"id":1296,"name":1083,"email":1084,"avatar":1085,"url":1086,"date":1297,"body":1298,"_type":1013,"_id":1322,"_source":1015,"_file":1323,"_stem":1324,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5622","5622","{! } is good in MonoRail, I think Ayende added it in response to my ticket on encoding being off by default and causing a problem through to components such as the SmartGrid.",5622,"2007-12-18T07:37:34",{"type":19,"children":1299,"toc":1320},[1300,1310,1315],{"type":22,"tag":23,"props":1301,"children":1302},{},[1303,1308],{"type":22,"tag":39,"props":1304,"children":1306},{"className":1305},[],[1307],{"type":27,"value":44},{"type":27,"value":1309}," is good in MonoRail, I think Ayende added it in response to my ticket on encoding being off by default and causing a problem through to components such as the SmartGrid.",{"type":22,"tag":23,"props":1311,"children":1312},{},[1313],{"type":27,"value":1314},"Having something similar in MVC would be great although personally I'd love it to be mapped to a method on a new HtmlViewPage class which inherits from ViewPage so that you can switch out the encoding method for different output types.",{"type":22,"tag":23,"props":1316,"children":1317},{},[1318],{"type":27,"value":1319},"There is some discussion about the whole issue so we'll see what happens.",{"title":117,"searchDepth":136,"depth":136,"links":1321},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5622.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5622.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5622",{"_path":1326,"_dir":1038,"_draft":6,"_partial":6,"_locale":7,"title":1327,"description":1328,"id":1329,"name":1330,"email":1331,"avatar":1332,"date":1333,"body":1334,"_type":1013,"_id":1342,"_source":1015,"_file":1343,"_stem":1344,"_extension":1018},"/comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5621","5621","I would love to see some type of shortcut in MVC like brail has in monorail.  In brail I can !{post.Author} and it will be html encoded.  It would be nice if MS MVC and ASP.Net for that matter added something like  so encoding did not have to take a function call.  Not having this will be so much more annoying in MS MVC has you will have many more  code blocks.",5621,"Adam Tybor","adam.tybor@gmail.com","https://www.gravatar.com/avatar/1666f4eb9724451346a97a026689d7e7?r=pg&d=retro","2007-12-18T04:00:04",{"type":19,"children":1335,"toc":1340},[1336],{"type":22,"tag":23,"props":1337,"children":1338},{},[1339],{"type":27,"value":1328},{"title":117,"searchDepth":136,"depth":136,"links":1341},[],"content:comments:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection:5621.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5621.md","comments/5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection/5621",1779264589265]