Do asp.net MVC 2 controllers auto sanitize the viewmodels for sql injection, or do I have to manually?

Question

When a viewmodel is passed into the asp.net mvc controller, are the inputs automatically sanitized against sql injection, or do I have to sanitize each property on my viewmodel with something like AntiXss.GetSafeHtml from the Microsoft Antixss library?

I'm new to MVC, so I'm not familiar with all the behind the scenes things the asp.net mvc controllers do.

Thanks!

EDIT - I meant to say I should sanitize my inputs for use in sql down the stack. Is the anti-forgery token in MVC enough to stop xss?

Answer 1

I don't believe that they are sanitized, although you seem to refer to sql injection in your title and XSS in your text - which are you worried about?

You still need to properly parameterise any SQL queries, and any html output to the front end should be within an Html.Encode().

---

To answer the comment, I believe that the front end should do no sort of SQL validation (as there are ways around simple sanitization), but rather rely on properly paramterized queries to stop this sort of attack. Any other way is open to being worked around.

---

Also - the anti forgery token mitigates against cross site request forgery (XSRF), not XSS. Enter in <script>alert("Hello");</script> into one of your textboxes and then go to another page on your site where this might be output directly on the screen (e.g. in a table, or as a readonly view) - if you don't properly encode this, you have a problem.