1

What is the best way to sanitize the user input in asp.net mvc without throwing "potentially dangerous request.form" exception and still preventing the xss attack for the post requests which contains dangerous tags.

Edit: I tried the AntiXss and created custom encoder which encodes all the submitted values at runtime but the problem is that it is still throwing the exception. Actually I am not figuring out that exactly where (which event) I can ensure that the request contains nothing dangerous and if it contains something dangerous, I can redirect it to another Action rather than throwing exception.

ZeNo
  • 1,648
  • 2
  • 15
  • 28

1 Answers1

1

Disable the automatic form checking, and use Microsoft Anti-Cross Site Scripting Library to manually check each relevant field for XSS.

Of course, in MVC some of the checks come out of the box. If, for example, your action method contains an int parameter called productID, and the user submits a form with a productID field, it's automatically populated by MVC's model binder mechanism and you get a "strong" int which you can count on. No text inside, no problems. So all you have to check are the text-based fields.

Ofer Zelig
  • 17,068
  • 9
  • 59
  • 93
  • Thanks Ofer for the start. I tried it out but it didn't solved my complete problem. – ZeNo Aug 05 '11 at 19:36
  • Did you follow the instructions detailed in this answer and the comments following it? : http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client/82170#82170 – Ofer Zelig Aug 07 '11 at 06:31