This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
Remove Html.JavaScriptEncoder property #4033
Comments
Eilon
changed the title
|
This is the property in question: https://github.com/aspnet/Mvc/blob/dev/src/Microsoft.AspNetCore.Mvc.ViewFeatures/Rendering/IHtmlHelper.cs#L61-L64 It doesn't appear to be used anywhere in MVC, so it should be fairly clean to remove. |
|
@blowdart Can you please give me a link to an article showing how can it be exploited? Will it ever be safe or just forget about its existence? |
|
I won't, because it's very use specific. Please just forget about its existence. |
|
Existence of what? 😝 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This @ method is unsafe. It needs to be removed.
We've been recommending the safe approach for a couple of years, which is you put the data inside a DIV tag, in a data attribute, at which point @ and HTML encoding works just fine.
There are cases where simply Javascript encoding introduces XSS (for example, outputting into an OnX attribute on an element). The existence of this method encourages folks to do the wrong thing.
The text was updated successfully, but these errors were encountered: