I needed something like is described here (a method to render a partial view to a string so I can pass it along with some other data as a JsonResult)
The top answer seems to be working well but I'm wondering if this opens a vector for XSS CSS Injection?
If it does, would it be as easy as html encoding the result before returning it to prevent it?
Whether you are using Json, HTML Partial views, or not the HTTP POST actions should provide some XSS defense. Which means The Get was supplied with same token. Typically in Razor... The token is added, then checked in POST Action.
Html.BeginForm
@Html.AntiForgeryToken()
[HttpPost]
[ValidateAntiForgeryToken]
public AResultTypeHere SomeActionMethod(myModel model)
or you use your own hidden field and implement some check. So Yes, make sure HTTP posts are protected. http://www.veracode.com/security/xss as a starter.
There is also MVC based material on the topic, eg http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx
