How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

asp.net asp.net-mvc xss
tghw picture tghw · Jul 8, 2010 · Viewed 17.7k times · Source

I recently noticed that I had a big hole in my application because I had done something like:

<input type="text" value="<%= value%>" />

I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly?

Answer

George Stocker picture George Stocker · Jul 8, 2010

There's a few ways:

  • Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
  • Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.

Related questions

A potentially dangerous Request.Form value was detected from the client

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown. I don't want to go into the discussion about the smartness of throwing an exception or crashing an …

Read More
Can I set an unlimited length for maxJsonLength in web.config?

I am using the autocomplete feature of jQuery. When I try to retrieve the list of more then 17000 records (each won't have more than 10 char length), it's exceeding the length and throws the error: Exception information: Exception type: InvalidOperationException Exception …

Read More
Could not find a part of the path ... bin\roslyn\csc.exe

I am trying to run Asp.net MVC project retrieved from TFS source control. I have added all assembly references and I am able to build and compile successfully without any error or warning. But I get the following error …

Read More