Html encoding in MVC input
- by fearofawhackplanet
I'm working through NerdDinner and I'm a bit confused about the following section...
First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:
<%= Html.TextArea("Description") %>
They then show two ways of binding form input to the model:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
    Dinner dinner = new Dinner();
    UpdateModel(dinner);
    ...
}
or:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }
Ok, great, that all looks really easy so far.
Then a bit later on they say:
  It is important to always be paranoid
  about security when accepting any user
  input, and this is also true when
  binding objects to form input. You
  should be careful to always HTML
  encode any user-entered values to
  avoid HTML and JavaScript injection
  attacks
Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?