Like the well disciplined secure developer that you are, when you built
your ASP.NET MVC 1.0 application, you remembered to call
every time you output a value that came from user input. Didn’t you?
Well, in ASP.NET MVC 2 running on ASP.NET 4, those calls can be replaced with the new HTML encoding syntax (aka code nugget). I’ve written a three part series on the topic.
- Html Encoding Code Blocks With ASP.NET 4
- Html Encoding Nuggets With ASP.NET MVC 2
- Using AntiXss as the default encoder for ASP.NET
But dang, going through all your source files cleaning up these calls is
a pretty big pain. Don’t worry, I have your back. Just bring up the Find
an Replace dialog (
CTRL + SHIFT + H) and expand the Find options
section and check the checkbox labeled Use and make sure Regular
Then enter the following in the Find what textbox.
And enter the following in the Replace with textbox.
<%: \1 %>
Here’s a screenshot of what the dialog should look like (though yours won’t have the red box :P).
Note that this regular expression I’m giving you is not foolproof. There are some very rare edge cases where it might not work, but for the vast majority of cases, it should work fine. At least, it works on my machine!
Now that I’m finally done with updates to Professional ASP.NET MVC 2, I hope to get back to my regular blogging schedule. This will be only my third blog post this month, a new record low! And I love to blog! It’s been a busy past few months.