I want to protect my ASP.NET MVC 5 application from Cross Site Scripting (XSS). I have gone through several articles and SO post. The ideal option is to encode the input and also encode when input is redisplayed.
However, MVC, by default, prevents any requests containing HTML markup, in order to avoid XSS attacks. By default ASP.NET 4.5 throws an exception if potentially dangerous content is detected in the request.
In certain legitimate cases it is perfectly acceptable for the user to submit markup. But my application there is NO such case where user would need to enter markup.
If i enter any markup in input field, asp.net throws exception as expected.
Having said that do i really still need to encode input or it is already taken care by asp.net 5?
Best Answer
When posting any input field with HTML in it ASP.NET MVC will throw an exception. You need to add
AllowHtml
attribute on a particular input. For example:When displaying this field you need to use
@
as per docs:https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting