On Thu, Sep 2, 2010 at 12:18 PM, Nathan Schultz <[email protected]> wrote: > Understood. That's the difference between URL Encoding and HTML Encoding.
URL Encoding may not fix it, because, as far as I just tested, you can still escape out of the specific area of within a href='[here]' area. And that's what always needs to be prevented; escaping the context you are writing the data to. I'm not talking directly to you, more just making a general statement that the most important thing is context-aware writing of elements. > My point was more in MVC, you have a HtmlHelper class with a bag of goodies. > ie: > > Html.RouteLink() generates a safe URL link. > Html.TextBox() generates a safe text-box > Html.AntiForgeryToken() generates a token that protects against CSRF > vulnerabilities. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
