Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I think knockout handles this situation, but wanted to confirm. Is it true that if using the value binding w/ a form control like input/textarea that there is no danger of a script injection attack?
Or do you need to do something to ensure the value is encoded prior to setting it in the view model?
The value will be saved to the view model, as is. It just depends how you use it. The
textbinding will encode the content based on usinginnerText/textContentto set the value. So, you are safe there. If you were to use thehtmlbinding with content that was set via thevaluebinding, then it would be possible to inject a script.See the Knockout doco About HTML encoding for more info.