ASP.NET MVC 4 ViewModel - XSS Vunerabilities?

0
votes

I'm currently developing an ASP.NET MVC 4 website and have a question regarding Cross-site Scripting (XSS) vulnerabilities with the underlying ViewModel.

I am aware that ASP.NET does provide some request validation, but is there anything else I need to do to prevent XSS attacks? Do I need to use AntiXSS to sanitise each property of the ViewModel once it's been posted back to the server?

I did try entering alert("Hello"); into one of my textbox inputs and ASP.NET correctly caught it as potentially dangerous, but I just want to make sure I haven't missed something else.

Thanks for any and all advice.

1
asp.net-mvcxss
This question makes an odd assumption, which is that XSS has something to do with the properties of the ViewModel. XSS occurs because of a flaw in the way that data is rendered to a browser (usually, the fact that it is not HTMLencoded). So it's a View level thing. It is possible to knock out XSS by restricting the properties of the ViewModel, but I think that it's the wrong place to do it.Yellowfog
Excuse my ignorance in these things, I'm relatively new to web development so still very much learning. What I meant was that if I had a form which populated various properties of the ViewModel to then be stored in a database. I thought that I might need to 'sanitise' the data entered to avoid anything untoward being stored (as the data will inevitably be displayed in another page at some point). I thought perhaps I might need to check each of the ViewModel properties before storage, rather than store blindly and sanitise at a later stage when the data is displayed in a page.Nathan
Yes, you can do that. My opinion is that it's the wrong approach (others may disagree). For one it makes you less diligent about knocking out XSS points in the View - there may be other ways in which these could be exploited, if data can be changed without doing a roundtrip to the DB, or if there is ever another route to entering data into the DB. But mainly, the thought of addressing a presentation layer issue at the business logic layer just gives me the vapours.Yellowfog
I see where you're coming from, I was thinking of it more as a 'belt and braces' approach to make sure any data entered would be checked/sanitised to avoid bad data going into the database, and likewise sanitise anything being presented in the view as wellNathan

1 Answers

0
votes

By default, Razor will santize every thing except what's ever is in @Html.Raw().

Read this article to gain more insights about how to prevent Cross-Site Request Forgery