// helper code
public static string TextBoxWithLabelFor<TModel, TProperty>(
this HtmlHelper<TModel> htmlHelper,
Expression<Func<TModel, TProperty>> expression,
string label)
where TModel : class
{
string labelHtml =
string textboxHtml = htmlHelper.TextBoxFor(expression);
return labelHtml + " " + textboxHtml;
string.Format("<label for=\"{0}\">{1}:</label>",
ExpressionHelper.GetInputName(expression),
label); // !!!!!! ENCODING ???????
string textboxHtml = htmlHelper.TextBoxFor(expression);
return labelHtml + " " + textboxHtml;
}
// usage
<%= Html.TextBoxWithLabelFor (c => c.MaxAttendees, "Max Attendees")
Raw string, outputed to HTML Plane without encoding.
Today "the label" is constant typed in the view,
tomorrow it can be metadata obtained from other source,
some next day a user input....
Writing API should be responsible for encoding.....no assumtions about clients....
CWE-116: Improper Encoding or Escaping of Output
No comments:
Post a Comment