Click here to Skip to main content
13,861,709 members
Click here to Skip to main content
Add your own
alternative version

Stats

45.6K views
3 bookmarked
Posted 28 May 2015
Licenced CPOL

Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML

, 28 May 2015
Rate this:
Please Sign up or sign in to vote.
In this blog we will try to understand how we can prevent and fine tune XSS(Cross Site Security) security attacks in ASP.NET MVC.

Introduction

What is XSS?

How can we prevent the same in MVC?

What is the difference between “ValidateInput” and “AllowHTML” in MVC ?

Introduction

In this blog we will try to understand how we can prevent and fine tune XSS(Cross Site Security) security attacks in ASP.NET MVC.

What is XSS?

XSS(Cross Site Security) is a security attack where the attacker injects malicious code while doing data entry. This code can be a javascript, vbscript or any other scripting code. Once the code is injected in end user’s browser. This code can run and gain access to cookies,sessions, local files and so on.

For instance below is a simple product data entry form. You can see in the product description how the attacker has injected a javascript code.

Once we click submit you can see the JavaScript code actually running.

How can we prevent the same in MVC?

In MVC by default XSS attack is validated. So if any one tries to post javascript or HTML code he lands with the below error.

What is the difference between “ValidateInput” and “AllowHTML” in MVC?

As said in the previous question in ASP.NET MVC we are not allowed to post scripts and HTML code by default. But consider the below situation where we want HTML to be written and submitted.

The other scenario where we need HTML to be posted is HTML editors. So there is always a need now and then to post HTML to the server.

So for those kinds of scenarios where we want HTML to be posted we can decorate the action with “ValidateInput” set to false.This by passes the HTML and Script tag checks for that action.

You can see in the below code we have requested the MVC framework to NOT VALIDATE the input to the action.

[ValidateInput(false)]
public ActionResult PostProduct(Product obj)
{
return View(obj);
} 

But the above solution is not proper and neat. It opens a complete Pandora box of security issues. In this product screen scenario we just HTML in product description and not in product name.

But because we have now decorated validate false at the action level , you can also write HTML in product name field as well. We would love to have more finer control on the field level rather than making the complete action naked.

That’s where “AllowHTML” comes to help. You can see in the below code we have just decorated the “ProductDescription” property .

public class Product
{
        public string ProductName { get; set; }
        [AllowHtml]
        public string ProductDescription { get; set; }
}

And from the action we have removed “ValidateInput” attribute.

public ActionResult PostProduct(Product obj)
{
            return View(obj);
}

If you now try to post HTML in product name field you will get the below error saying you cannot post HTML tags in product name field.

So the difference between ValidateInput and AllowHTML is the granularity of preventing XSS attacks.

Hope you have enjoyed this blog.

Also the other dead attack which happens on a MVC website is CSRF, see the below facebook video which demonstrates how CSRF attack can be prevented.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author


You may also be interested in...

Pro

Comments and Discussions

 
GeneralMessage Closed Pin
3-Jun-18 23:12
memberMember 138371233-Jun-18 23:12 
GeneralMessage Closed Pin
3-Jun-18 23:11
memberMember 138371233-Jun-18 23:11 
QuestionPreventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML Pin
Divyang Desai13-Nov-16 20:21
groupDivyang Desai13-Nov-16 20:21 
QuestionHow do i prevent XSS in web api and angular? Pin
Member 1191277413-Sep-16 6:24
memberMember 1191277413-Sep-16 6:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web06 | 2.8.190214.1 | Last Updated 28 May 2015
Article Copyright 2015 by Shivprasad koirala
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid