System.Web.Mvc.TagBuilder
Do we (they) really need this class ?Useless,"non
validating" Constructor
Accepts any characters and builds invalid tag namefor HTML,(X)HTML and XML
<<&>Is this valid 'tag name' ?</<&>
MergeAttribute producing invalid attr. names
Accepts any characters and builds invalid
or even injected attributes for HTML,(X)HTML and XML
<a Small="Small"
is:this:correct:name="" small="small" xss="..">...<a
xss="">Is this valid attribute name ?</a>
Of course it encodes attribute value, but...... (to be shown later) BORDER CONDITIONS: null
value is converted to "" duplicit call for same attribute name is ignored silently attr names are case sensitive regarding duplicity and sorting
What the tag builder
really is ?
return String.Format( CultureInfo.InvariantCulture, "<{0}{1}>{2}",
// not validated, not encoded
TagName,
// HttpUtility.HtmlAttributeEncode
// encoded values,
// not encoded names !!!
GetAttributesString(),
// raw InnerHtml supplied or
// HttpUtility.HtmlEncode(innerText)
// null translated to ""
InnerHtml);
to achieve this ?
Comming soon: HttpUtility.HtmlAttributeEncode and HttpUtility.HtmlEncode
challanged
No comments:
Post a Comment