Input validation does not work on asp.net mvc 4 model sent as JSON

Question

Input validation does not work on asp.net mvc 4 model sent as JSON

I have a model and a form in a view. I have a simple line field called a description. I can insert scripts like: <script>alert('xss')</script> in this field. I see that in other actions on my site with a different model I can’t. I don’t have AllowHtml or something like that.

The only difference is that for this model I am making a message with the json object and the application content type / json ModelState.IsValid returns true. although there is a description property with an xss script on it ...

and for other actions I am doing a simple ajax post.

Why does validation input for such ajax JSON messages not work? how can i prevent xss throughout the site for such ajax requests?

thanks

+4

jquery ajax asp.net-mvc

guy schaller Dec 17 '12 at 16:00

source share

1 answer

Kyaw Thurein · Answer 1 · 2014-03-14T18:06:03+0000

This is because ValidateInput is for FormValueProvider only. As for JsonValueProvider, you need to deploy your own mechanism.

Steps 1) Create a marker attribute CustomAntiXssAttribute 2) Create a custom CustomAntiXssAttribute by subclassing DefaultModelBinder 3) Overrides the BindProperty method → get an attempt to value for the base property, misinform it and assign it a view model property. Check this out.

Edited: Replace the string var valueResult = bindingContext.ValueProvider.GetValue(propertyDescriptor.Name); on var valueResult = bindingContext.ValueProvider.GetValue((string.IsNullOrWhiteSpace(bindingContext.ModelName) ? string.Empty : bindingContext.ModelName + ".") + propertyDescriptor.Name); to support a nested ViewModel.

Input validation does not work on asp.net mvc 4 model sent as JSON

More articles: