Geeks With Blogs
Liam McLennan
Since .NET 2.0 webforms has protected the programmer from cross-site scripting by validating all input sent to the server. Unfortunately, this does not happen in mvc. I tested my application by typing 'alert("xss");' surrounded by script tags in the first name textbox. The form saved successfully and I got a javascript alert box with the message "xss".

In mvc it is the programmers responsibility to validate all input. Calling Request.ValidateInput() in a controller tells the framework that any values read from the request should be validated. If an invalid character is found a HttpRequestValidationException is thrown.

Here is an example implementation:
try { UpdateModel(b, new[] { "FirstName", "LastName", "Email" }); }
catch (HttpRequestValidationException) { /* Handle request validation error */ }
Posted on Tuesday, September 16, 2008 8:42 PM | Back to top

Copyright © Liam McLennan | Powered by: