[{"data":1,"prerenderedAt":171},["ShallowReactive",2],{"blog:2007:investigating-monorail-shock-at-html-injection":3,"blogMore-Development":157,"comments-investigating-monorail-shock-at-html-injection":170},{"id":4,"title":5,"body":6,"category":138,"commentCount":130,"date":139,"description":140,"excerpt":141,"extension":142,"filenames":143,"hidden":144,"image":143,"meta":145,"minutes":146,"navigation":147,"path":148,"seo":149,"showCategory":143,"stem":150,"tags":151,"updated":143,"url":154,"wordCount":155,"__hash__":156},"content\u002Fblog\u002F2007\u002Finvestigating-monorail-shock-at-html-injection.md","Investigating MonoRail",{"type":7,"value":8,"toc":128},"minimark",[9,14,18,21,24,28,38,41,56,60,63,66,75,79,82,90,94,97,100,103,107,116,122],[10,11,13],"h2",{"id":12},"fighting-winforms","Fighting WinForms",[15,16,17],"p",{},"I hate fighting with a technology to get it to do what I want because it means I either have the wrong expectation or wrong technology.",[15,19,20],{},"With web development I expect strict web standard support and clean code that is easy to maintain.",[15,22,23],{},"I am, therefore, tired of fighting with WebForms and seeing as I’m not prepared to change my expectation then the technology must change.",[10,25,27],{"id":26},"looking-at-monorail","Looking at MonoRail",[15,29,30,37],{},[31,32,36],"a",{"href":33,"rel":34},"https:\u002F\u002Fwww.rubyonrails.org\u002F",[35],"nofollow","Ruby on Rails"," is very fast, elegant and powerful but comes with a bunch of unknowns. The IDE’s I’ve tried have been so-so, there is no support for IntelliSense so I’m forced to remember exact property and method names. There are concerns about performance and scalability and I find the Ruby language itself cryptic.",[15,39,40],{},"My current .NET environment has all these things, so what I’m really looking for is an alternative to the WebForms element itself. It also has a powerful framework, tons of samples, and C# is not only enjoyable but very in-demand :)",[15,42,43,44,49,50,55],{},"MonoRail seems to be just what I am looking for but there are a number of things keeping me away. I decided to spend an hour watching a screen cast ",[31,45,48],{"href":46,"rel":47},"https:\u002F\u002Fayende.com\u002FBlog\u002Farchive\u002F2007\u002F04\u002F09\u002FHibernating-Rhinos--Episode-2--Select--From-MonoRail.Customers.aspx",[35],"on WinForms and MonoRail"," from ",[31,51,54],{"href":52,"rel":53},"https:\u002F\u002Fwww.ayende.com",[35],"Ayende @ Rahien’s blog",". It calmed some concerns but raised a few others…",[10,57,59],{"id":58},"nhibernate-mapping-files","NHibernate mapping files",[15,61,62],{},"NHibernate provides the core ORM system within MonoRail and normally requires XML mapping files to do so.",[15,64,65],{},"I really don’t want or need another abstraction layer here; my tables are freshly modeled and represent my domain classes very well. Rails, Subsonic and LINQ to SQL are all happy to just do it\u002F",[15,67,68,69,74],{},"Fortunately, a project called ",[31,70,73],{"href":71,"rel":72},"https:\u002F\u002Faltinoren.com\u002Factivewriter\u002F",[35],"ActiveWriter"," gives you a very LINQ to SQL-like experience in dragging tables off, changing names and properties if you want and doing the magic for you.",[10,76,78],{"id":77},"activerecord-template","ActiveRecord template",[15,80,81],{},"I still don’t like this mix of static and instance methods providing some sort of split between what should really be two classes but I can live with it.",[15,83,84,85,89],{},"There is also a ",[86,87,88],"code",{},"Repository\u003CT>"," option mentioned which perhaps solves this, I shall have to investigate it further.",[10,91,93],{"id":92},"view-engines","View engines",[15,95,96],{},"There are a number of view engines available for MonoRail but the primary ones are NVelocity and Brail.",[15,98,99],{},"As I already have C# and JavaScript in my project and I have no desire to add another language unless there is a good reason to do so. If they want to stop people writing too much view code then what is wrong with a subset of C#?",[15,101,102],{},"The template engines also mean giving up strong typing (everything is passed to the view in a type-less property bag accessed with a string key!) and a complete lack of IntelliSense (the demo stalls as fields are mistyped on occasion proving just how useful this is).",[10,104,106],{"id":105},"html-injection","HTML injection",[15,108,109,110,115],{},"Yes, in this day and age HTML injection should be a long-dead concern and yet even the built in ",[31,111,114],{"href":112,"rel":113},"https:\u002F\u002Fwww.ayende.com\u002FBlog\u002Farchive\u002F2007\u002F04\u002F05\u002FHaving-Fun-with-SmartGridComponent.aspx",[35],"SmartGridComponent"," will happily squirt out data without encoding it and thus allowing data from anywhere to contain HTML ready to be injected into an unsuspecting page.",[117,118,119],"blockquote",{},[15,120,121],{},"Ayende has investigated the issue now and is working on getting a fix into the tree.",[15,123,124],{},[125,126,127],"em",{},"[)amien",{"title":129,"searchDepth":130,"depth":130,"links":131},"",2,[132,133,134,135,136,137],{"id":12,"depth":130,"text":13},{"id":26,"depth":130,"text":27},{"id":58,"depth":130,"text":59},{"id":77,"depth":130,"text":78},{"id":92,"depth":130,"text":93},{"id":105,"depth":130,"text":106},"Development","2007-08-17T11:44:06+00:00","First impressions evaluating Castle MonoRail as an alternative to ASP.NET WebForms — what it gets right, what's missing for a strong-typing C# developer, and the discovery that the built-in grid component happily injects unescaped HTML.","[object Object]","md",null,false,{},3,true,"\u002Fblog\u002F2007\u002Finvestigating-monorail-shock-at-html-injection",{"title":5,"description":140},"blog\u002F2007\u002Finvestigating-monorail-shock-at-html-injection",[152,153],".NET","WebForms","\u002Fblog\u002F2007\u002Finvestigating-monorail-shock-at-html-injection\u002F",527,"auY1WqiEiCqIX5L8JuDTJKgRqREqQ35qB3NjQwSziFQ",[158,162,166],{"title":159,"date":160,"url":161},"Transactions in the MongoDB EF Core Provider","2025-10-25","\u002Fblog\u002F2025\u002Fmongodb-explicit-transactions\u002F",{"title":163,"date":164,"url":165},"Queryable Encryption with the MongoDB EF Core Provider","2025-09-22","\u002Fblog\u002F2025\u002Fmongodb-queryable-encryption\u002F",{"title":167,"date":168,"url":169},"Lazy Loading with EF Core Proxies","2025-04-02","\u002Fblog\u002F2025\u002Fef-proxies\u002F",[],1780900531214]