Thursday, February 18, 2010

System.Web.Mvc.TagBuilder, dangerous, undocumented, suboptimal, useless ?


Do we (they) really need this class ?

validating" Constructor

Accepts any characters and builds invalid tag name
for HTML,(X)HTML and XML
<<&>Is this valid 'tag name' ?</<&>

MergeAttribute producing invalid attr. names

Accepts any characters and builds invalid
or even injected attributes for HTML,(X)HTML and XML

<a Small="Small"
is:this:correct:name="" small="small" xss="..">...<a
xss="">Is this valid attribute name ?</a>

Of course it encodes attribute value, but...... (to be shown later) BORDER CONDITIONS: null
value is converted to "" duplicit call for same attribute name is ignored silently attr names are case sensitive regarding duplicity and sorting

What the tag builder
really is ?

return String.Format( CultureInfo.InvariantCulture, "<{0}{1}>{2}",
// not validated, not encoded
// HttpUtility.HtmlAttributeEncode
// encoded values,
// not encoded names !!!
// raw InnerHtml supplied or
// HttpUtility.HtmlEncode(innerText)
// null translated to ""
Do we really need 140 lines of code
to achieve this ?

Comming soon: HttpUtility.HtmlAttributeEncode and HttpUtility.HtmlEncode

No comments:

Post a Comment