Thursday, February 18, 2010

System.Web.Mvc.TagBuilder, dangerous, undocumented, suboptimal, useless ?

http://msdn.microsoft.com/en-us/library/system.web.mvc.tagbuilder.aspx

System.Web.Mvc.TagBuilder

Do we (they) really need this class ?

Useless,"non
validating" Constructor

Accepts any characters and builds invalid tag name
for HTML,(X)HTML and XML
<<&>Is this valid 'tag name' ?</<&>

MergeAttribute producing invalid attr. names


Accepts any characters and builds invalid
or even injected attributes for HTML,(X)HTML and XML

<a Small="Small"
is:this:correct:name="" small="small" xss="..">...<a
xss="">Is this valid attribute name ?</a>

Of course it encodes attribute value, but...... (to be shown later) BORDER CONDITIONS: null
value is converted to "" duplicit call for same attribute name is ignored silently attr names are case sensitive regarding duplicity and sorting

What the tag builder
really is ?


return String.Format( CultureInfo.InvariantCulture, "<{0}{1}>{2}",
// not validated, not encoded
TagName,
// HttpUtility.HtmlAttributeEncode
// encoded values,
// not encoded names !!!
GetAttributesString(),
// raw InnerHtml supplied or
// HttpUtility.HtmlEncode(innerText)
// null translated to ""
InnerHtml);
Do we really need 140 lines of code
to achieve this ?

Comming soon: HttpUtility.HtmlAttributeEncode and HttpUtility.HtmlEncode
challanged

No comments:

Post a Comment