So, I thought I was a "veteran" of the ASP.NET WebForms developer; however, I came across this recently and was (unpleasantly) surprised that the output was not shielded:
<asp:Label Text='<%# Eval("UserData") %>' runat="server" />
Imaging, where Eval returns "<h1>joke is on you"or something more malicious for the correct rendering / security of the page.
The reason Label, and not <%# %>, was directly related to the fact that, as incorrectly assumed, the contents of "UserData" would be properly escaped for HTML. However, this is apparently not the case, and the above script shows the elements <h1>that are created in the HTML markup.
Then the question can be distilled as:
With arbitrary user input, which should be presented as "plain text", what is a simple / reliable / safe way to insert data on a page (in between) with proper escaping?
As stated above, it must be executed in the context of a data-bound control. I know HttpUtility.HtmlEncode , but I would like to entertain the idea of still using the control - maybe there is a standard control for this task that I missed - it's safe to do this without having to wrap it Eval. If this is erroneous, based on logic or experience, it would be nice to include in the answers. I would not give up the idea that my use of Label in this case is completely inappropriate.
, - SharePoint 2010 ASP.NET .NET 3.5, ASP.NET 4.
user166390