Is Sanitizing user input necessary when Request Validation is already on guard

Question

Request Validation is a powerful mechanism to prevent injecting malicious code via a request to server. This is done on server-side so regardless of the fact that whether any client-side validation has done or not, one can be sure if something unusual is coming then an exception will be thrown automatically.

My question: While we have "Request Validation" in hand, does it still necessary to sanitize requests?

I'm using Asp.net MVC 5.0

PS: I'm solely talking in the context of web (not DB or something else) and its potential vulnerabilities (such as XSS).

Answer 1

Here's a link about Xss on MSDN and Request Validation

https://msdn.microsoft.com/en-us/library/vstudio/hh882339%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396

Answer 2

Yes! There is plenty of perfectly valid input in ASP.NET's eyes that could cause issues in your application if not dealt with correctly.

For example, if somebody passed some data in a request and you weren't correctly parameterizing queries in your data layer then this input:

x'; DROP TABLE users; --

Could result in this query:

SELECT FieldList
FROM Users
WHERE Email = 'x'; DROP TABLE Users; --

Oh noes! You've lost your Users table!

You should always treat user-input as hostile irrespective of request validation. This demonstrates some scenarios whereby request validation wouldn't save your skin.

HTML encoding when you render user-provided input is important... Never render any untrusted input using @Html.Raw and be careful that your HtmlHelpers correctly encode anything coming from a user.

Defence in depth is important. Think of request validation as just one piece of that process.