Reputation: 9518
HTML encode all input in ASP.NET MVC 2 site by default
Good day!
I'd like to html encode all user input on the ASP.NET MVC 2 site but default. Can this be done anywhere on model binder level?
If I disable input validation for action -- I will need to html-encode every other value. If I keep ASP.NET request validation on -- it will throw erros "A potentially dangerous Request.Form value was detected from the client"
P.S. I do use encoding when outputting data (<%: %> syntax), but I'd like to encode everything on posting it too.
Thanks in advance!
Upvotes: 0
Views: 1639
Answers (2)
Reputation: 67019
Unfortunately XSS is an output problem, not an input problem. Running everything though an HTML encoder will not solve all your problems. There are many ways of obtaining xss without <>.
In general input should be validated just before use. You cannot predict how all input will be used, and you will end up corrupting data.
Upvotes: 1
Related Questions
- ASP.NET MVC - HtmlEncode all strings by default
- Html Encoding in ASP.NET MVC
- ASP.Net submit html code (encode-decode)
- Razor encodes everything
- Encode HTML before sending to Controller/DB
- Encode the html string in Asp.net MVC
- Html encoding in MVC input
- HtmlEncode on Post for ASP.Net MVC 3 Html.TextAreaFor
- Do not html encode string in asp.net razor
- How to use Encode with html textbox