ASP.NET MVC XSS Validation

Question

We are using ASP.NET MVC 5.0 to build a website. If I enter into a textbox some javascript when I save I get a "potentially unsafe input detected" error page - great.

However a couple of our screens use a ajax submit to pass json directly to the controller this seems to skip the validation above.

Is there any way to call the standard validation on the model (or each text field in the model) in the controller in order to throw the error above. i.e. something like

 public override ActionResult Create(MyModel myModel)
 {
     /* Any dubious input this should throw an error*/
     AntiXSS.ValidateInput(myModel);
     ...

Answer 1

I ran into a similar issue, and as noted in comments on other answer, we had JQuery using $.ajax to post JSON to the MVC action. The default model binder does not validate posted JSON allowing unsafe XSS to be posted against our action.

To solve this, I found the RequestValidator has a static method InvokeIsValidRequestString that allowed

public class ValidateJsonXssAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var request = filterContext.HttpContext?.Request;
        if (request != null && "application/json".Equals(request.ContentType, StringComparison.OrdinalIgnoreCase))
        {
            if (request.ContentLength > 0 && request.Form.Count == 0) // 
            {
                if (request.InputStream.Position > 0)
                    request.InputStream.Position = 0; // InputStream has already been read once from "ProcessRequest"
                using (var reader = new StreamReader(request.InputStream))
                {
                    var postedContent = reader.ReadToEnd(); // Get posted JSON content
                    var isValid = RequestValidator.Current.InvokeIsValidRequestString(HttpContext.Current, postedContent,
                        RequestValidationSource.Form, "postedJson", out var failureIndex); // Invoke XSS validation
                    if (!isValid) // Not valid, so throw request validation exception
                        throw new HttpRequestValidationException("Potentially unsafe input detected");
                }
            }
        }
    }
}

Then, you can just decorate relevant MVC actions expecting JSON-posted data that might bypass the standard XSS prevention:

[HttpPost]
[ValidateJsonXss]
public ActionResult PublishRecord(RecordViewModel vm) { ... }

You can see other options for customizing request validation with OWASP .NET recommendations by extending the RequestValidator object, which exposes the string validation done by the ValidateInput automatically utilized by MVC for other scenarios of query string, form collection, and cookie values.

For more info: https://www.owasp.org/index.php/ASP.NET_Request_Validation