In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why?
I know this question is old but I thought I could answer it anyway.
There is a ValidateInput action filter attribute which can be added to actions.
[ValidateInput(true)]
public ActionResult Foo()
{
}
You can also use the AllowHtml attribute on model properties
public class MyModel
{
public Guid ID { get; set; }
[AllowHtml]
public string SomeStringValue { get; set; }
}
This is a hard line to cross. Is your web application just a RESTful web resource like it 'should' be? Or is it trying to do more. Next thing you know you have 100 hidden input fields: __VIEWSTATE, __EVENTTARGET, __EVENTARGUMENT, etc, etc.
As you know, you can still prevent XSS attacks in MVC. Just google it to see several examples. But the reason is basically that MVC is a different, 'cleaner' type of web application.
EDIT: I don't know if what I've said above is clear. But the idea is that MVC isn't going to try to be more than what it is (like ASP.NET does). They both have their strong points and reasons.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With