When using JQuery's $.Ajax(..) to post a JSON object containing markup to an MVC action method, I was surprised to learn that the content isn't rejected by ASP.Net's request validation.
Is there a reason why the request validation isn't applied to JSON posts?
With the following definition, markup is not rejected by the server...
$.ajax({
url: '/Controller/Action',
data: JSON.stringify({data:data}),
type: "POST",
dataType: "json",
contentType: "application/json",
});
Seems like it's tied to posts of type JSON
I am using .Net 4.0 MVC 3.0
I am creating functionality to save comments to a database. Seems like a security issue that markup/scripts can make it past the request validation...
I am posting a JSON object with various properties (e.g. commentText)
For some reason it's not rejecting my post if it contains markup like <div></div>
etc
Found an article here that seems to explain the behavior:
http://weblogs.asp.net/imranbaloch/archive/2011/05/23/security-issue-in-asp-net-mvc3-jsonvalueproviderfactory.aspx
There seems to be a clue here http://weblogs.asp.net/imranbaloch/archive/2011/05/23/security-issue-in-asp-net-mvc3-jsonvalueproviderfactory.aspx
I think you're talking about request validation? It's on in MVC, so your JSON string must not be deemed as a threat by asp.net - I can't remember if it would by default reject a json string that contains markup, I suspect not though.
More info about it here: http://weblogs.asp.net/imranbaloch/archive/2011/02/19/understanding-request-validation-in-asp-net-mvc-3.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With