I have a controller which accepts
public class MyModel
{
[MaxLength(400)]
public string Message { get; set; }
}
I have a WebApi Post Action
public HttpResponseMessage Post(MyModel viewModel)
{
if (!ModelState.IsValid)
return new HttpResponseMessage(HttpStatusCode.BadRequest);
...
}
And a get action.
Since the content is written out by javascript rather than directly in a view the exact content was getting written out, also no asp.net warnings about dangerous content kicked in.
I want to protect against XSS. At the moment I am doing
HttpUtility.HtmlEncode(Regex.Replace(p.Message, @"<[^>]*>", String.Empty))
in the Get action. (Taken some code from Using C# regular expressions to remove HTML tags)
Is there any protection built in to Asp.Net I should be using? Are there any attributes I can decorate my model with?
I noticed this http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx but clicking through to http://wpl.codeplex.com/ is seems to be very badly reviewed.
As your code stands right now, a user could just inject JavaScript that doesn't use a script tag.
There is a common list of XSS vulnerabilities that could be used.
Right now you accept a 'string', and all you parse out are HTML tags. Unfortunately, there are a lot of XSS attacks that don't rely on HTML.
For instance, adding the following to a GET Request in Firefox: %22onmouseover=prompt%28%29//
will allow the person to inject JavaScript.
Your best bet is to use the AntiXss library from Microsoft, and specifically encode the parameters for GET and POST requests.
(I have to head to work, but I'll post more code later on how to do this).