html-encode

TL;DR CodeIgniters' Security Class directly manipulates your Globals such as $_POST and it finds file() and file () to be a threat so it HTML encodes it. // config.php from my apps folder is the culprit $config['global_xss_filtering'] = TRUE; Do-It-Yourself (the few, the brave) In CodeIgniter 2.1.4 go to system/core/security.php and line #430-442: /* * Sanitize naughty scripting elements * * Similar to above, only instead of looking for * tags it looks for PHP and JavaScript commands * that are disallowed. Rather than removing the * code, it simply converts the parenthesis to entities *

I'm not quite sure how this works yet... trying to find documentation. In my existing app I've got two different ways of rendering strings in my View <%: model.something %> <!-- or --> <%= model.something %> The first one is html encoded, and the second one is not. Is there something similarly short in Razor? All I can find is this, which is the encoded version. @model.something I guess the best approach would be to use the Raw extension-method: @Html.Raw(Model.Something) @Model.Something automatically HTML encodes. If you want to avoid HTML encoding (and you want this only if you are

I am unsure of the best way to handle this. In my index view I display a message that is contained in TempData["message"] . This allows me to display certain error or informational messages to the user when coming from another action (for example, if a user tries to enter the Edit action when they don't have access, it kicks them back to the Index with a message of "You are not authorized to edit this data"). Prior to displaying the message, I run Html.Encode(TempData["message"]) . However, I have recently come into the issue where for longer messages I want to be able to separate the lines

We're trying to use the [AllowHtml] decoration on one of our ViewModel properties so that we can avoid the YSOD: A potentially dangerous Request.Form value was detected from the client (RequestText= "<br>" ). when we try to submit html text, like: <br> . We want to then use Server.HtmlEncode within the controller action to prevent attacks, but when we decorate the property with [AllowHtml] it has no affect, and if we try to use [ValidateInput(false)] on the controller action, it has no effect either. We saw a StackOverflow Post saying that in MVC 3 RC2 that you have to add: