File: MvcHtmlString.cs

package info (click to toggle)
mono 2.6.7-5.1
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 327,344 kB
  • ctags: 413,649
  • sloc: cs: 2,471,883; xml: 1,768,594; ansic: 350,665; sh: 13,644; makefile: 8,640; perl: 1,784; asm: 717; cpp: 209; python: 146; sql: 81; sed: 16
file content (101 lines) | stat: -rw-r--r-- 5,142 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
 
/* ****************************************************************************
 *
 * Copyright (c) Microsoft Corporation. All rights reserved.
 *
 * This software is subject to the Microsoft Public License (Ms-PL). 
 * A copy of the license can be found in the license.htm file included 
 * in this distribution.
 *
 * You must not remove this notice, or any other, from this software.
 *
 * ***************************************************************************/

namespace System.Web.Mvc {
    using System;
    using System.ComponentModel;
    using System.Linq.Expressions;
    using System.Web;

    // In ASP.NET 4, a new syntax <%: %> is being introduced in WebForms pages, where <%: expression %> is equivalent to
    // <%= HttpUtility.HtmlEncode(expression) %>. The intent of this is to reduce common causes of XSS vulnerabilities
    // in WebForms pages (WebForms views in the case of MVC). This involves the addition of an interface
    // System.Web.IHtmlString and a static method overload System.Web.HttpUtility::HtmlEncode(object).  The interface
    // definition is roughly:
    //   public interface IHtmlString {
    //     string ToHtmlString();
    //   }
    // And the HtmlEncode(object) logic is roughly:
    //   - If the input argument is an IHtmlString, return argument.ToHtmlString(),
    //   - Otherwise, return HtmlEncode(Convert.ToString(argument)).
    //
    // Unfortunately this has the effect that calling <%: Html.SomeHelper() %> in an MVC application running on .NET 4
    // will end up encoding output that is already HTML-safe. As a result, we're changing out HTML helpers to return
    // MvcHtmlString where appropriate. <%= Html.SomeHelper() %> will continue to work in both .NET 3.5 and .NET 4, but
    // changing the return types to MvcHtmlString has the added benefit that <%: Html.SomeHelper() %> will also work
    // properly in .NET 4 rather than resulting in a double-encoded output. MVC developers in .NET 4 will then be able
    // to use the <%: %> syntax almost everywhere instead of having to remember where to use <%= %> and where to use
    // <%: %>. This should help developers craft more secure web applications by default.
    //
    // To create an MvcHtmlString, use the static Create() method instead of calling the protected constructor.

    public class MvcHtmlString {

        private delegate MvcHtmlString MvcHtmlStringCreator(string value);
        private static readonly MvcHtmlStringCreator _creator = GetCreator();

        // imporant: this declaration must occur after the _creator declaration
        [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Security", "CA2104:DoNotDeclareReadOnlyMutableReferenceTypes",
            Justification = "MvcHtmlString is immutable")]
        public static readonly MvcHtmlString Empty = Create(String.Empty);

        private readonly string _value;

        // This constructor is only protected so that we can subclass it in a dynamic module. In practice,
        // nobody should ever call this constructor, and it is likely to be removed in a future version
        // of the framework. Use the static Create() method instead.
        [EditorBrowsable(EditorBrowsableState.Never)]
        [Obsolete("The recommended alternative is the static MvcHtmlString.Create(String value) method.")]
        protected MvcHtmlString(string value) {
            _value = value ?? String.Empty;
        }

        public static MvcHtmlString Create(string value) {
            return _creator(value);
        }

        // in .NET 4, we dynamically create a type that subclasses MvcHtmlString and implements IHtmlString
        private static MvcHtmlStringCreator GetCreator() {
            Type iHtmlStringType = typeof(HttpContext).Assembly.GetType("System.Web.IHtmlString");
            if (iHtmlStringType != null) {
                // first, create the dynamic type
                Type dynamicType = DynamicTypeGenerator.GenerateType("DynamicMvcHtmlString", typeof(MvcHtmlString), new Type[] { iHtmlStringType });

                // then, create the delegate to instantiate the dynamic type
                ParameterExpression valueParamExpr = Expression.Parameter(typeof(string), "value");
                NewExpression newObjExpr = Expression.New(dynamicType.GetConstructor(new Type[] { typeof(string) }), valueParamExpr);
                Expression<MvcHtmlStringCreator> lambdaExpr = Expression.Lambda<MvcHtmlStringCreator>(newObjExpr, valueParamExpr);
                return lambdaExpr.Compile();
            }
            else {
                // disabling 0618 allows us to call the MvcHtmlString() constructor
#pragma warning disable 0618
                return value => new MvcHtmlString(value);
#pragma warning restore 0618
            }
        }

        public static bool IsNullOrEmpty(MvcHtmlString value) {
            return (value == null || value._value.Length == 0);
        }

        // IHtmlString.ToHtmlString()
        public string ToHtmlString() {
            return _value;
        }

        public override string ToString() {
            return _value;
        }

    }
}