I know I must use HtmlEncode() on everything that's displayed (Labels, etc.)
Do I also need to use it in my data-bound buttons' CommandArgument ? (even though I can't, on input, trust them to still be so)
Asked
Active
Viewed 43 times
1 Answers
0
I finally found my answer here: https://stackoverflow.com/a/20791870/1455631
The
CommandArgument, as well as theCommandNameare not sent from the client side to the server. They are Stored on the LinkButton's Viewstate and retrieved on the server side. In this case, the__EVENTARGUMENTForm Key will be empty.
Which means, there's no need to sanitize CommandArgument.
Medinoc
- 6,577
- 20
- 42