Novkovski Stevo Bato
Reputation: 1043
Should i just use html sanitizer on "rich html values"?
Do i need to sanitize all string values passed to my controller or just rich html like editors?
What about input , type text fields?
<input type="text" name"test1" value="<script></script>" />
public ActionResult TestAction(string test1){ //save in db }
Upvotes: 0
Views: 128
Answers (1)
Cameron Tinker
Reputation: 9789
Always sanitize data being sent to the server. You don't want anyone to arbitrarily send data to your server of any type. Some HTML tags, such as <script> elements, can be harmful. You don't want the user storing JavaScript code in your content pages as it could be malicious for other users.
Upvotes: 1
Related Questions
- XSS prevention: confused about an advice :)
- Prevent XSS attacks and still use Html.Raw
- HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest
- ASP.NET MVC XSS Input Field strip HTML/Scripts or Sanitize
- Input sanitization with MVC Razor - how to be safe?
- AntiXss protection Html model properties
- Rich Text vs XSS
- sanitizing xss in asp.net mvc
- Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)
- Should I html encode values in an input field?