Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why was validate request taken out of ASP.net MVC?

In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why?

like image 652
alexmac Avatar asked Nov 29 '08 12:11

alexmac


2 Answers

I know this question is old but I thought I could answer it anyway.

There is a ValidateInput action filter attribute which can be added to actions.

[ValidateInput(true)]
public ActionResult Foo()
{

}

You can also use the AllowHtml attribute on model properties

public class MyModel
{
    public Guid ID { get; set; }

    [AllowHtml]
    public string SomeStringValue { get; set; }
}
like image 108
Sruly Avatar answered Oct 18 '22 01:10

Sruly


This is a hard line to cross. Is your web application just a RESTful web resource like it 'should' be? Or is it trying to do more. Next thing you know you have 100 hidden input fields: __VIEWSTATE, __EVENTTARGET, __EVENTARGUMENT, etc, etc.

As you know, you can still prevent XSS attacks in MVC. Just google it to see several examples. But the reason is basically that MVC is a different, 'cleaner' type of web application.

EDIT: I don't know if what I've said above is clear. But the idea is that MVC isn't going to try to be more than what it is (like ASP.NET does). They both have their strong points and reasons.

like image 4
Timothy Khouri Avatar answered Oct 18 '22 00:10

Timothy Khouri