Exam 70-486 topic 5 question 4 discussion

Actual exam question from Microsoft's 70-486

Question #: 4
Topic #: 5

You are developing an ASP.NET web application.
You need to ensure that the application can securely render user-generated content.
What are two possible ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Use the following code: var decodedUserInput = Server.UrlDecode(userInput);
B. Use the following WebForms markup: <span><%:userInput%></span>
C. Use the following Razor markup: <span>@userInput</span>
D. Use the following code: var decodedUserInput = Server.HtmlDecode(userInput);

Show Suggested Answer

Suggested Answer: AD 🗳️
Referencs:
https://docs.microsoft.com/en-us/dotnet/api/system.web.httpserverutility.urldecode?view=netframework-4.8 https://docs.microsoft.com/en-us/dotnet/api/system.web.httpserverutility.htmldecode?view=netframework-4.8

by this_is_sparta at Feb. 2, 2020, 7:14 p.m.

Comments

Submit Cancel

this_is_sparta

Highly Voted 5 years, 4 months ago

C + D: "When you display content in a page using the @ character, as in the preceding examples, ASP.NET HTML-encodes the output." (https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c) URLEncode replaces spaces with +

upvoted 6 times

founderDev

5 years, 4 months ago

Yes. B and C correct answer

upvoted 7 times

zimzimzimma

5 years ago

'Yes. B and C correct answer' I guess you mean C + D, since 'yes' was a confirmation about sparta posting C+D?

upvoted 1 times

...

not2smart

Highly Voted 4 years, 11 months ago

There is lots of discussion here. Is it CD, BC or BD? But I am going with BC for the following reason: The question asks about securely rendering user-generated content. That means it refers to Encoding the content, and NOT about Decoding the content. A and D are about Decoding the input user data when reading from the web page. B and C are about Encoding the user data when writing/rendering to the view. The WebForms markup and Razor markup shown in BC will automatically Encode the data when rendering.

upvoted 5 times

...

northgaterebel

Most Recent 4 years, 5 months ago

B + C. https://docs.microsoft.com/en-us/previous-versions/aspnet/a2a4yykt(v=vs.100) "How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings" https://www.c-sharpcorner.com/UploadFile/ff2f08/aspx-view-engine-vs-razor-view-engine/ "Razor View Engine: By default all text from an @ expression is HTML encoded." "ASPX View Engine: There is a different syntax ("<%: %>") to make text HTML encoded."

upvoted 1 times

...

rdhainaut

4 years, 5 months ago

I go for C (after read the this_is_sparta doc link) + D as correct answers

upvoted 1 times

rdhainaut

4 years, 5 months ago

My final Answer: B, C My previous answer is not correct because D use "Decode" and not "Encode" Sources: B See here https://weblogs.asp.net/scottgu/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2 C See Tip here https://docs.microsoft.com/en-us/aspnet/web-pages/overview/getting-started/introducing-razor-syntax-c#1-you-add-code-to-a-page-using-the--character

upvoted 1 times

...

dutchHunter

4 years, 9 months ago

Does this make sense: The user input gets encoded after input and then, to render the input in the application it needs to be decoded again. The razor and forms markup show encoded strings, but that's not the intention of the question. If this is right, A and D are right. Correct me if I'm wrong.

upvoted 4 times