23

Am I missing something or asp.net core allows to post script tag in user text fields? In Previous versions of asp.net mvc I needed to allow it by [AllowHtml] attribute.

Is there a way how enable validation agains potentially dangerous values?

I'm free to submit value like

<script src='http://test.com/hack.js'></script>

during form post.

Model:

using System.ComponentModel.DataAnnotations;

namespace Test.Models
{
    public class TestModel
    {
        [MaxLength(500)]
        public string Content { get; set; }
    }
}

Controller:

using Microsoft.AspNetCore.Mvc;
using Test.Models;

namespace Test.Controllers
{
    public class HomeController : Controller
    {
        public IActionResult Index()
        {
            var model = new TestModel { Content = "Test" };
            return View();
        }

        [HttpPost]
        public IActionResult Index(TestModel model)
        {
            if(!ModelState.IsValid)
                return View(model);

            return Content("Success");
        }
    }
}

View:

@model TestModel

<form asp-action="Index" asp-controller="Home" method="post">
    <div asp-validation-summary="All"></div>
        <label asp-for="Content">Content<strong>*</strong></label>
        <span asp-validation-for="Content"></span>
        <input asp-for="Content" type="text" />
    </div>
</form>
Tunaki
  • 132,869
  • 46
  • 340
  • 423
Martin
  • 638
  • 1
  • 5
  • 13
  • That's a good question. I haven't hit that problem yet. Everything in ASP.NET Core is opt-in so I'm pretty sure you'd need to add it as middleware but I'm not sure that's been ported across yet. Hopefully I'm wrong. – Lee Gunn Aug 21 '16 at 07:11
  • In System.Web there's a class called `System.Web.CrossSiteScriptingValidation` which seems to hold the logic for determining if the request is invalid. Looks simple enough from a quick glance. Maybe that could be used to knock up some middleware if something doesn't already exist. – Lee Gunn Aug 21 '16 at 07:24
  • 1
    It seems that perhaps requestvalidation was removed because we should not depend on it for security, instead we should validate input and encode untrusted output http://forums.asp.net/t/2032496.aspx?Where+is+AllowHtml – Joe Audette Aug 21 '16 at 12:36

1 Answers1

20

ASP.NET Core does not have a feature similar to Request validation, as Microsoft decided, that it’s not a good idea. For more information see the discussion on the ASP.NET Core issue 'Default middleware for request validation, like IIS has'.

That means that validation has to take place on the inbound model. And that in the Razor (.cshtml) you should output user provided input like @Model.Content, which encodes the given string.

Please bear in mind that those escaping techniques might not work when the text that was output is not inside a Html part.

So don't use @Html.Raw(..) unless you know that the data provided has been sanitized.

Supplement:

  • You might want to consider a Web Application Firewall (WAF) for a generic protection against malicious requests (e.g. XSS or SQL Injection).
  • For protecting your users against an XSS attack you might also have a look at providing a Content Security Policy (CSP).
Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170
peter
  • 3,109
  • 2
  • 18
  • 15
  • This makes me incredibly happy. I've been properly encoding data on the client 100% of the time since Razor came out (I made some mistakes back in the <%= %> days), and still fighting with that stupid "Potentially dangerous" nonsense - I could never find all of the various spots where you have to turn it off. – Joe Enos Jun 18 '20 at 16:27