I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The library itself is very straightforward but I’m having difficulty deciding where to place the validation. I am using strongly typed HTML helpers and binding my models/viewmodels directly and would like to avoid applying AntiXSS individually in each action method. Also, definitely don’t want to turn off validateinput on my post actions which is a requirement if I’m passing HTML in one of the properties of my model/viewmodel.
Is there somewhere that AntiXSS can be injected in ASP.NET MVC so that it is applied before rendering the view (decode) and before entering the action filter (encode)?
Thanks in advance