Tip: Replacing Html.Encode Calls With New Html Encoding Syntax

asp.net mvc, asp.net, code 0 comments suggest edit

Like the well disciplined secure developer that you are, when you built your ASP.NET MVC 1.0 application, you remembered to call Html.Encode every time you output a value that came from user input. Didn’t you?

Well, in ASP.NET MVC 2 running on ASP.NET 4, those calls can be replaced with the new HTML encoding syntax (aka code nugget). I’ve written a three part series on the topic.

But dang, going through all your source files cleaning up these calls is a pretty big pain. Don’t worry, I have your back. Just bring up the Find an Replace dialog (CTRL + SHIFT + H) and expand the Find options section and check the checkbox labeled Use and make sure Regular expressionsis selected.

Then enter the following in the Find what textbox.

\<\%:b*=:b*Html.Encode\({[^%]*}\):b*\%\>

And enter the following in the Replace with textbox.

<%: \1 %>

Here’s a screenshot of what the dialog should look like (though yours won’t have the red box :P).

find-and-replaceNote that this regular expression I’m giving you is not foolproof. There are some very rare edge cases where it might not work, but for the vast majority of cases, it should work fine. At least, it works on my machine!

works-on-my-machine

Now that I’m finally done with updates to Professional ASP.NET MVC 2, I hope to get back to my regular blogging schedule. This will be only my third blog post this month, a new record low! And I love to blog! It’s been a busy past few months.

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.

Comments

avatar

14 responses

  1. Avatar for Jeff Atwood
    Jeff Atwood April 28th, 2010

    oh god that hideous fake regex syntax makes me want to puke every time I see it.
    Someone PLEASE tell me that Visual Studio 2010 offers a standard Regex syntax here? PLEASE?

  2. Avatar for Dhananjay Goyani
    Dhananjay Goyani April 28th, 2010

    Man, this is awesome. Many thanks Phil.

  3. Avatar for tobi
    tobi April 28th, 2010

    Also remember that you can replace Server.HtmlEncode and HttpUtility.HtmlEncode with this. Actually I think you should scan your app for <%= and eradicate all usages of this dangerous construct. Replace it with <:

  4. Avatar for shiju varghese
    shiju varghese April 28th, 2010

    Thanks Phil. Really useful tip

  5. Avatar for Justin
    Justin April 28th, 2010

    Ok I have to agree with Jeff. I have a hard enough time remembering the real regex syntax. Can the regular regex synatax be used also?

  6. Avatar for Eric Malamisura
    Eric Malamisura April 28th, 2010

    Awesome, Phil we expect MVC 3 release next month k? Sweet! ;)

  7. Avatar for haacked
    haacked April 30th, 2010

    Unfortunately, that screenshot is of Visual Studio 2010. I'll pass this feedback to the Visual Studio team. :)

  8. Avatar for Dan Watson
    Dan Watson April 30th, 2010

    Was just about to dig around all my views and do this.... thanks saved me a load of time :)

  9. Avatar for Imran
    Imran May 3rd, 2010

    I am also very much agree with Jeff. Why Visual Studio not use the stranded Regular Expression.

  10. Avatar for Mark
    Mark May 3rd, 2010

    For those jonsing for real regex in VS... let me share my love for this great VS addin:
    www.codeproject.com/.../VS2008RegexAddIn.aspx

  11. Avatar for Chris Tattum
    Chris Tattum May 18th, 2010

    This has just saved me a LOAD of time after upgrading to .NET4/VS2010. Thanks.

  12. Avatar for zire
    zire May 20th, 2010

    Useful article I hope it will work fine in my sample :)

  13. Avatar for Franck Quintana
    Franck Quintana June 7th, 2010

    Thank you for this useful tip !

  14. Avatar for interactive intelligence
    interactive intelligence March 17th, 2011

    Thanks a lot Mark.I have been looking for these for quite a while and was not able to figure out on how to convert html.encode with the new one.I tried my best to convert it but something went wrong always.After reading your post it seems i was not checking the use regular expression.