Reputation: 29427
XSS prevention: confused about an advice :)
On this blog post when it comes to the advices on XSS prevention (search "To prevent cross-site scripting" in the text) I can read
Disable request validation through use of the ValidateInput attribute. This attribute will falsely reject valid HTML input.
Maybe is because my english knowledge is far to be perfect but I see some contradiction in terms. In fact at the beginning I understand that I should use the ValidateInput attribute but then it says that this attribute falsely reject valid HTML input, so it's not adviced to use it.
It looks like the day after elections in Italy: somebody win, somebody did not lost, somebody else had a good performance :D
Which is, by the way, the correct sense of that sentence?
Upvotes: 0
Views: 407
Answers (2)
Reputation: 1038730
This sentence is contradicting and unclear to me as well. Maybe the author meant that you don't need to use this attribute because by default dangerous requests will be denied.
Personally I stopped reading the article at this statement: DO access data in views using ViewData. Even an example was given of how to do this.
Upvotes: 2
Reputation: 21306
I agree, it's confusing - but he appears to be suggesting disabling this attribute. This is safe when combined with his next tip, encoding all user data to be displayed (so < becomes < and so on).
I think "disabling request validation" is bad advice to be giving as the first of three tips on "preventing cross-site scripting attacks", though.
Upvotes: 0
Related Questions
- Preventing XSS (Cross-site Scripting)
- Protecting ASP.NET MVC 5 application from XSS
- MVC c# prevent xss
- Prevent XSS attacks and still use Html.Raw
- How do you avoid XSS vulnerabilities in ASP.Net (MVC)?
- ASP.NET MVC XSS protection
- Preventing / understanding xss with javascript encoding
- Best practice for Prevent XSS hacking
- sanitizing xss in asp.net mvc
- AntiXss and my desired results