dotnet
Shouldn't we use HtmlEncoder.Default.Encode before passing the text to ViewData ?
Description
From my understanding,
ViewData["Message"] = "Hello " + name;
should be
ViewData["Message"] = HtmlEncoder.Default.Encode("Hello " + name);
since we are using user specified parameter in an HTML context, and we already learnt to use HtmlEncoder.Default.Encode in part 2 of this tutorial.
Concerned part is this snippet https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/tutorials/first-mvc-app/start-mvc/sample/MvcMovie80/Controllers/HelloWorldController.cs?name=snippet_ViewData&highlight=12-17
Page URL
https://learn.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/adding-view?view=aspnetcore-8.0&tabs=visual-studio
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/tutorials/first-mvc-app/adding-view.md
Document ID
00c2c01d-d235-2d2d-5c96-1f33a9314382
Article author
@wadepickett
@Ikelio, thanks for sharing your experience with the doc. There are preprocessor directives such as #define Third, #if First etc, dividing up the HelloWorldController.cs file , so it repeats code in various states to reflect the progression of the tutorial. I will take a good look at it all though to make sure.
Verified the controller includes return HtmlEncoder.Default.Encode($"Hello {name}, ID: {ID}"); in the controller and works.
This code is available on lines 19-23. It is available if "Third" is defined: #define Third which is also the default set in the controller example:
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/tutorials/first-mvc-app/start-mvc/sample/MvcMovie80/Controllers/HelloWorldController.cs
It also shows up in its proper place in this tutorial: