Sanitizing Input in ASP.NET MVC Application

asp.net asp.net-mvc asp.net-mvc-3 asp.net-mvc-4 knockout.js
11,449

To address issues with XSS etc, you should encode your output properly using e.g. Html encoding - as opposed to your input. You may want to also look at the anti-xss library http://wpl.codeplex.com/releases/view/80289 which includes some excellent classes to help.

To address concerns with SQL injection, you should be using SQL parameters (parameterized queries) http://msdn.microsoft.com/en-us/library/vstudio/bb738521(v=vs.100).aspx alongside appropriate permissions configured in SQL server itself. As you are using EF5 then this will also protect against SQL injection for you, I believe.

Share:
11,449
SB2055
Author by

SB2055

Updated on July 10, 2022

Comments

  • SB2055
    SB2055 almost 2 years

    I have an MVC app with a Service layer and I'm trying to figure out how to sanitize all inputs without going insane.

    I have validation under control - field-length, data-types, and other validation is being handled both on client and model (EF5).

    What I'm now trying to handle is preventing SQL injection and XSS - I was able to break my application by pasting some markup into one of my inputs.

    For example: 

     <textarea data-bind="value: aboutMe">@Model.AboutMe </textarea>

    If I save some script tag in AboutMe:

    <script type="text/javascript">alert("hey")</script>

    the page breaks due to illegal characters:

      Uncaught SyntaxError: Unexpected token ILLEGAL

    I'm thinking I can just cherry-pick every single input and wrap it in some kind of SanitizeText() function that removes all brackets from anything that's been submitted, but this feel cheap and tedious, and doesn't address SQL injection.

    What's the proper way to go about this?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Updating a Razor Model from Javascript
ASP.Net MVC Dynamic DropDownList - how to create one
How to display WebForms .ascx as partial view in MVC 3
Templates can be used only with field access, property access, single-dimension array index error
How to persist the data in memory in MVC controller?
The model item passed into the dictionary is of type 'System.Collections.Generic.List... in ASP.net MVC
How to save selected DropDownList value in ASP.NET MVC model for POST?
MVC Controller Action Gets Called Multiple Times When Layout Is Specified
Calling a specific action of a controller on the click of HTML button(Not Submit or Form's post Button) Asp.net MVC
How to pass multiple objects using RedirectToAction() in Asp.NET MVC?