Understood. That's the difference between URL Encoding and HTML Encoding. My point was more in MVC, you have a HtmlHelper class with a bag of goodies. ie:
Html.RouteLink() generates a safe URL link. Html.TextBox() generates a safe text-box Html.AntiForgeryToken() generates a token that protects against CSRF vulnerabilities. On Thu, Sep 2, 2010 at 9:52 AM, silky <michaelsli...@gmail.com> wrote: > On Thu, Sep 2, 2010 at 11:47 AM, Nathan Schultz <milish...@gmail.com> > wrote: > > I'm a little surprised by comments that most dev's wouldn't know what a > SQL > > Injection attack was. Most developers I've worked with have a class with > > some kind with a function to sanitizing data against SQL Injection. > > > > These days you don't see them used so often as SQL Parameters / Linq to > SQL > > / Entity Framework / nHibernate, etc all offer protection against SQL > > Injection attacks. And many frameworks, such as MVC are making it easier > > then ever to protect against XSS attacks (and CSRF vulnerabilities to an > > extent), by making default syntax encode HTML. > > It is *critical* that people realise things need to be encoded for > *context*, not just "HTML". I.e. what is valid output in a area such > as: > > <p>$foo</p> > > Is not valid when used here: > > <a href="$foo">silky</a> > > It's obvious when stated, but it's easy to miss, and having everything > "done for you", doesn't help, unless it's context-aware (which would > be great). > > -- > silky > > http://dnoondt.wordpress.com/ > > "Every morning when I wake up, I experience an exquisite joy — the joy > of being this signature." >