In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why?
Thanks,
Alex
+3
A:
This is a hard line to cross. Is your web application just a RESTful web resource like it 'should' be? Or is it trying to do more. Next thing you know you have 100 hidden input fields: __VIEWSTATE, __EVENTTARGET, __EVENTARGUMENT, etc, etc.
As you know, you can still prevent XSS attacks in MVC. Just google it to see several examples. But the reason is basically that MVC is a different, 'cleaner' type of web application.
EDIT: I don't know if what I've said above is clear. But the idea is that MVC isn't going to try to be more than what it is (like ASP.NET does). They both have their strong points and reasons.
Timothy Khouri
2008-11-29 12:57:36
Thanks Timothy, I dont have a particular website in mind. I think the request validation still is in keeping with the restfulnature as itdoest interfer with the request until it is received and then only if its potentially dangerous. What approach are you taking with xss?
alexmac
2008-11-29 20:09:52
+2
A:
I hope you have something more robust than ValidateRequest to avoid XSS, anyway.
rodbv
2008-11-29 13:20:47
It is more helpful to suggest alternatives than to simply reject an approach.
RedFilter
2008-11-29 16:06:55
Is ValidateRequest really so bad? I ensure that I encode any html inputted by the user but would be interested in what approach you are taking?
alexmac
2008-11-29 20:10:52
"Magic" is bad. If you don't understand the vulnerabilities of your application and how to contradict them, your reliance on other people to make your application safe is dangerous. Its a hole in your understanding that should be educated away, not wallpapered over.
Will
2008-11-29 20:14:37
BTW, its a never ending process. I'm learning more about it myself. The idea that there are severe vulnerabilities out there that I don't understand scares me, and it should scare any programmer...
Will
2008-11-29 20:15:54
geek_in_belgium do you have an example that bypasses the asp.net built in features?
alexmac
2008-11-30 16:22:14
alexmac: try prefixing a form name with __ (2 underscores): it will bypass the validation.
rodbv
2008-12-23 12:25:29
+1
A:
I find the ValidateRequest solution as a hack. In my opinion 'warding off XSS' is a Business Rule; therefore let the Model handle the situation.
I really like the explanation regarding the desire to better follow REST principles. As to the 100 hidden fields, it reminds me of an ASP solution I provided some years ago; I used a proliferation of hidden fields to carry metadata. Not pretty.
+5
A:
I know this question is old but I thought I could answer it anyway.
There is a ValidateInput action filter attribute which can be added to actions.
[ValidateInput(true)]
public ActionResult Foo()
{
}
Sruly
2009-04-02 08:31:28