views:

231

answers:

1

I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The library itself is very straightforward but I’m having difficulty deciding where to place the validation. I am using strongly typed HTML helpers and binding my models/viewmodels directly and would like to avoid applying AntiXSS individually in each action method. Also, definitely don’t want to turn off validateinput on my post actions which is a requirement if I’m passing HTML in one of the properties of my model/viewmodel.

Is there somewhere that AntiXSS can be injected in ASP.NET MVC so that it is applied before rendering the view (decode) and before entering the action filter (encode)?

Thanks in advance

+1  A: 

You could override the OnActionExecuting method of System.Web.Mvc.Controller and use the ActionDescriptor propery on the ActionExecutingContext argument of OnActionExecuting to determine what action is currently running. You could then (I think) modify the ActionParameters on the ActionExecutingContext to do encoding.

Are you only planning on using this for checking for naughty content (AntiXss.GetSafeHtml), or are you also planning on encoding (AntiXss.HtmlEncode)? If it is the latter I would think about it as it limits your output format to HTML only, which is probably ok right now but might be limiting if this data is to be used anywhere else.

jeffesp
A better solution would be to create an `ActionFilterAttribute` that would do the same filtering. Then you wouldn't have to distinguish the action using `ActionDescriptor`, but could just put the attribute on the controller actions that need it.
jeffesp