2

If the name of a link is pulled from the database, should you be calling the Html.Encode method to clean the name?

For example:

Html.ActionLink(Model.PersonFromDB.FirstName,
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

or:

Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
                "Action",
                "Controller",
                new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
                null)

It would make sense that you would want to do this to ensure that there are no dangerous strings injected into the page between <a> and </a> tags, but are scripts and such executable between anchor tags?

animuson
  • 53,861
  • 28
  • 137
  • 147
Chris F
  • 2,886
  • 2
  • 28
  • 33
  • I came across this site after posting the question and marking the answer, but I figure it's helpful to others who stumble onto this question: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet – Chris F Feb 18 '10 at 20:36

3 Answers3

6

No, since according to this thread on SO HtmlAction.Link() already HTML encodes values, so you'd end up doing it twice.

Community
  • 1
  • 1
Dan Diplo
  • 25,076
  • 4
  • 67
  • 89
0

It's certainly a good idea, but you should probably be preventing users from entering in potentially malicious strings as their first name.

Kevin Pang
  • 41,172
  • 38
  • 121
  • 173
  • ASP.NET MVC has a feature that checks all input to see if you are attempting to input script or malicious text, so that's already in place. – Chris F Feb 17 '10 at 20:04
  • I generally agree, but keep in mind that "potentially malicious" depends a lot on where the data will be _displayed_. For instance, "" is not at all damaging when displayed on a paper report or a raw DB report, it's only an issue when displayed in HTML. Thus, it's ultimately the job of the _presentation layer_ to format the data according to its specific needs. – Seth Petry-Johnson Feb 17 '10 at 20:05
-1

Yes, absolutely. As a general rule, for any HTML that you are going to output that was originally obtained from an untrusted source, assuming the format wasn't HTML already (and sufficiently vetted), you should always HTML encode the string to protect against injection attacks.

casperOne
  • 73,706
  • 19
  • 184
  • 253
  • No. See http://stackoverflow.com/questions/2283920/should-html-encode-be-called-when-building-actionlinks-in-asp-net-mvc/2284022#2284022 – bzlm Apr 13 '10 at 14:47