Reputation: 877
MVC c# prevent xss
I have a simple email form on my site with mvc c#.
If i added into the text box alert("test") I get the below exception:
A potentially dangerous Request.Form value was detected from the client (Message="<script>alert("test"...").
I dont want a user to be able to insert javascript. I need for html encode i would i do this on this field
@Html.TextAreaFor(model => model.Message, new { @style = "width:800px;height:300px;" })
Upvotes: 0
Views: 1619
Answers (2)
Reputation: 3505
Option 1: look at the accepted answer at: HTML-encoding lost when attribute read from input field
Option 2: Put the [AllowHtml] attribute on the model item that binds to this textbox and that will let the value into your controller where you can use HtmlEncode.
Option 3: Put the [ValidateInput(false)] attribute on your controller action, this lets everything through no matter what and then you can do your own custom validation for everything
Upvotes: 1
Reputation: 13960
Use System.Web.HttpUtility.HtmlEncode to encode all user input and avoid XSS atacks.
Upvotes: 0
Related Questions
- Preventing XSS (Cross-site Scripting)
- How to protect or secured ASP.NET MVC from XSS?
- How to prevent XSS attacks in ASP.NET Core Razor view?
- Protecting ASP.NET MVC 5 application from XSS
- How can I prevent XSS attack in Asp.net Webforms?
- Prevent XSS attacks and still use Html.Raw
- How do you avoid XSS vulnerabilities in ASP.Net (MVC)?
- ASP.NET MVC XSS protection
- Any simple built-in way to protect against xss in asp.net mvc?
- sanitizing xss in asp.net mvc