Reputation: 718
Enable asp.net core request validation
Am I missing something or asp.net core allows to post script tag in user text fields? In Previous versions of asp.net mvc I needed to allow it by [AllowHtml] attribute.
Is there a way how enable validation agains potentially dangerous values?
I'm free to submit value like
<script src='http://test.com/hack.js'></script>
during form post.
Model:
using System.ComponentModel.DataAnnotations;
namespace Test.Models
{
public class TestModel
{
[MaxLength(500)]
public string Content { get; set; }
}
}
Controller:
using Microsoft.AspNetCore.Mvc;
using Test.Models;
namespace Test.Controllers
{
public class HomeController : Controller
{
public IActionResult Index()
{
var model = new TestModel { Content = "Test" };
return View();
}
[HttpPost]
public IActionResult Index(TestModel model)
{
if(!ModelState.IsValid)
return View(model);
return Content("Success");
}
}
}
View:
@model TestModel
<form asp-action="Index" asp-controller="Home" method="post">
<div asp-validation-summary="All"></div>
<label asp-for="Content">Content<strong>*</strong></label>
<span asp-validation-for="Content"></span>
<input asp-for="Content" type="text" />
</div>
</form>
Upvotes: 24
Views: 17148
Answers (2)
Reputation: 2508
Since @Html.Raw(..) will let client page run scripts and styles that posted by form body, here what I did is to globally prevent they don't exist in any form data.
public class FormHackValidationFilter: IActionFilter
{
private static readonly string[] hacks = new string[] {
"<script>", "</script>", "<style>", "</style>"
, "<script>", "</script>"
, "<style>", "</style>"};
public void OnActionExecuting(ActionExecutingContext context)
{
if (context.HttpContext.Request.ContentLength > 0)
{
if (context.HttpContext.Request.Form != null && context.HttpContext.Request.Form.Any())
{
var formData = context.HttpContext.Request.Form.Cast<KeyValuePair<string, StringValues>>();
if (formData.Any(x => x.Value.Any(d => hacks.Any(h => d.Contains(h)))))
{
context.Result = new BadRequestObjectResult("Stop playing with us, human being!");
}
}
}
}
public void OnActionExecuted(ActionExecutedContext context)
{
}
}
later enable it:
services.AddControllersWithViews(options =>
{
options.Filters.Add<FormHackValidationFilter>();
})
7 year later answer, enjoy it!
Upvotes: 0
Reputation: 3237
ASP.NET Core does not have a feature similar to Request validation, as Microsoft decided, that it’s not a good idea. For more information see the discussion on the ASP.NET Core issue 'Default middleware for request validation, like IIS has'.
That means that validation has to take place on the inbound model. And that in the Razor (.cshtml)
you should output user provided input like @Model.Content, which encodes the given string.
Please bear in mind that those escaping techniques might not work when the text that was output is not inside a Html part.
So don't use @Html.Raw(..) unless you know that the data provided has been sanitized.
Supplement:
- You might want to consider a Web Application Firewall (WAF) for a generic protection against malicious requests (e.g. XSS or SQL Injection).
- For protecting your users against an XSS attack you might also have a look at providing a Content Security Policy (CSP).
Upvotes: 21
Related Questions
- Disable model validation for single .NET Core API action
- Disable client side form validation in ASP.NET Core
- Field validation in ASP.NET Core 2.0
- Validating a form server side - ASP.NET Core 2.2 Razor Pages
- ASP.NET Core Web API Validation Error Handling
- Use HttpRequest in validation context
- ASP.NET CORE: Custom validation
- I can't turn off Request Validation for an ASP.NET MVC Controller
- asp-validation-for triggering on get .net core
- Request Validation - how and why is it disabled in SiteCore?