Is there a way to prevent page url parameters being passed to HTML.Action in ASP.NET MVC 5

Question

The documentation for Action (HtmlHelper, String, String, Object) (or the RouteValueDictionary version) states that "The routeValues parameter is merged with the original route values and overrides them."

https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.html.childactionextensions.action?view=aspnet-mvc-5.2#system-web-mvc-html-childactionextensions-action(system-web-mvc-htmlhelper-system-string-system-string-system-object)

However, I've realised that this does not play well with optional parameters - say you have something like

[ChildActionOnly]
public PartialViewResult BigBanner(string bannername, string title = "")

where title is an optional parameter for the controller method which generates a complex banner block. If the title is supplied by the calling page, then all is well and good. If it's omitted, then the intention is that the child action won't render a title. However, if someone crafts a URL with ?title=SomethingBad, then this will be rendered onto the page. At best this allows arbitrary content to be rendered, at worst it's the basis for a XSS attack depending on how the parameters were used.

Clarification/Edit The point here is that ANY optional parameter that is not used in the Html.Action call CAN BE SET BY THE URL - therefore changing the desired behaviour of a page. So there's an infinite variety of possible exploits of this deppending on how those optional parameters are used.

Is there a way to use Html.Action without the merging of the object/routevaluedictionary with the page level parameters to prevent this sort of parameter setting - it seems rather an unsafe default.

Is there a way to prevent page url parameters being passed to HTML.Action in ASP.NET MVC 5

Answers (1)

Related Questions