Happy new year! A new build for Spark has been posted on the download page that includes a SparkVsIntegration.msi file in the root of the zip. That file will deploy needed resources to Program Files\Spark and add registry entries.

Newer versions of the msi will upgrade these without needing to uninstall. To reverse any changes you may uninstall “Spark View Engine” from Control Panel at any time.

There are a few other changes, see release notes on download page for details, but one is based on a thread started by Kevin Dente.

There’s been a bunch of discussion in the blogosphere lately about XSS
and encoding output, with the the general consensus being “always HTML
encode your output”. Yet no view engines seem to do this. Have you
considered making Spark encode output by default (with a way to
escape, of course)? Or at least giving an expression syntax that
encodes by default (e.g #{expr}, ^{expr}, or whatever).

See also The Perfect Storm Botnet. In the end the feature allows you to opt-in to a configuration where you html-encode all ${expr} by default, and the expressions which you explicitly intend to hold raw html would use a !{expr} syntax.

Assuming you have an existing project there’s a migration path if you want to switch over. First go through your entire project and change $ to ! where you want html to come through.

<p>
  Hello ${H(user.Name)}
  ${Html.ActionLink("edit profile", "edit", "account")}
</p>

becomes

<p>
  Hello ${H(user.Name)}
  !{Html.ActionLink("edit profile", "edit", "account")}
</p>

You can verify your site’s still working because $ and ! work identically with automatic html encoding disabled. Then turn on the option with a config switch:

<configuration>
  <spark>
    <pages automaticEncoding="true"/>
  </spark>
</configuration>

You can verify your site is still working at this point because ${H(expr)} will ignore the redundant H(). Finally go through and remove those extra H()’s.

<p>
  Hello ${user.Name}
  !{Html.ActionLink("edit profile", "edit", "account")}
</p>