ASP.NET MVC – XSS and AutoBind vulns in MVC Example

A while back (while in the middle of the research that lead to the publishing of the Security Vulnerabilities in the Spring Framework Model View Controller) I decided to check out if the (still in beta) ASP.NET MVC framework was vulnerable to it.

At first quick analysis it looks vulnerable to the AutoBinding issue (and also to XSS), so here is my draft research notes as download file ASP.NET MVC - XSS and AutoBind vulns in MVC).

Please let me know if I am missing something obvious, or maybe there is something on the new version that prevents this:
Some MVC related links:

• latest blog post from Scott G http://weblogs.asp.net/scottgu/archive/2008/09/02/asp-net-mvc-preview-5-and-form-posting-scenarios.aspx
• Download latest version: http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=16775
• http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
• http://www.asp.net/mvc/