tags:

views:

231

answers:

1
+1  Q: 

Suggestions for where to put AntiXSS calls in ASP.NET MVC

I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The library itself is very straightforward but I’m having difficulty deciding where to place the validation. I am using strongly typed HTML helpers and binding my models/viewmodels directly and would like to avoid applying AntiXSS individually in each action method. Also, definitely don’t want to turn off validateinput on my post actions which is a requirement if I’m passing HTML in one of the properties of my model/viewmodel.

Is there somewhere that AntiXSS can be injected in ASP.NET MVC so that it is applied before rendering the view (decode) and before entering the action filter (encode)?

Thanks in advance

+1  A: 

You could override the OnActionExecuting method of System.Web.Mvc.Controller and use the ActionDescriptor propery on the ActionExecutingContext argument of OnActionExecuting to determine what action is currently running. You could then (I think) modify the ActionParameters on the ActionExecutingContext to do encoding.

Are you only planning on using this for checking for naughty content (AntiXss.GetSafeHtml), or are you also planning on encoding (AntiXss.HtmlEncode)? If it is the latter I would think about it as it limits your output format to HTML only, which is probably ok right now but might be limiting if this data is to be used anywhere else.

jeffesp  2010-01-13 18:33:53
A better solution would be to create an `ActionFilterAttribute` that would do the same filtering. Then you wouldn't have to distinguish the action using `ActionDescriptor`, but could just put the attribute on the controller actions that need it.
jeffesp  2010-01-14 13:36:41

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests