0

I know that MVC by default has a level of protection against XSS. The backend code catches suspicious javascript in a submitted form, and Razor will HTML-encode output with it's @Html helpers.

I believe these two features protect me from XSS be it from the user entering javascript into a form submission, or if some script has been written to the database and I am outputting it to the page via a @Html helper (with the exception of @Html.Raw()).

Are there any XSS techniques I need to guard against with the latest versions of MVC?

I have read the OWASP XSS cheat sheet but I think MVC covers all bases.

The only vulnerability I can think of is if script gets written into the database and I load that data into my page via JQuery, but that is not an MVC problem.

VictorySaber
  • 3,084
  • 1
  • 27
  • 45
  • I don't think you need to worry about XSS vulnerabilities as `Razor` engine will take care of most of the things. – Akshay Jan 22 '16 at 13:18
  • 1
    The main thing people do by mistake is try to use user input from within a – Cleverguy25 Jan 24 '16 at 07:00
  • Possible duplicate of [Does ASP.NET MVC 4 require extra XSS handling by default](http://stackoverflow.com/questions/12691958/does-asp-net-mvc-4-require-extra-xss-handling-by-default) – Paul Sweatte Nov 10 '16 at 16:22

0 Answers0