Suggestions for placing AntiXSS calls in ASP.NET MVC

Question

Suggestions for placing AntiXSS calls in ASP.NET MVC

I am trying to find the best method of protection against Cross Site Scripting in my ASP.NET MVC application. I planned to use the Microsoft AntiXSS library and, in essence, protect it on two levels: 1) Protect plain text fields (i.e. those that should contain only plain text and 2) Protect text fields with protection that HTML can generate. The library itself is very simple, but it's hard for me to decide where to place the validation. I use strongly typed HTML helpers and directly bind my models / viewmodels and would like to avoid using AntiXSS individually in each action method. Also, you definitely don't want to disable validateinput in my post actions, which is a requirement if Im passes HTML to one of the properties of my model / viewmodel.

Is there somewhere that AntiXSS can be introduced into ASP.NET MVC so that it is applied before rendering the view (decoding) and before entering the action filter (encode)?

Thanks in advance

+4

asp.net-mvc xss antixsslibrary

JP. Jan 13 '10 at 16:28

source share

1 answer

jeffesp · Accepted Answer · 2010-01-13T18:33:53+0000

You can override the OnActionExecuting System.Web.Mvc.Controller method and use the ActionDescriptor property in the ActionExecutingContext OnActionExecuting argument to determine which action is currently running. You could (I think) change ActionParameters to ActionExecutingContext to do the encoding.

Are you planning on using this to check for naughty content ( AntiXss.GetSafeHtml ), or are you also planning on coding ( AntiXss.HtmlEncode )? If this is the last, I would think about it, since it limits your output format to HTML only, which is probably right now, but could be a limitation if this data should be used elsewhere.

Suggestions for placing AntiXSS calls in ASP.NET MVC

More articles: