cross-site scripting attacks


Well-known member
Nov 16, 2005
Columbia, SC
Programming Experience
I was in the process of trying to protect my MVC5 app from Cross-Site Scripting Attacks.

There were many online code snippets that seemed to only apply to older MVC versions or to Web Forms apps so I was left experimenting with whatever I could find in hopes of finding something that worked, and I stumbled across 'Request.Unvalidated().Form["text..."];'

On my site in a forum style textarea, the user inputs comments, etc. If any HTML characters are entered, an exception is thrown. The exception doesn't fire until the Request data is being assigned to the database fields.

Out of curiousity, I inserted the 'Request.Unvalidated().Form["text..."]'; at the point in the code where the exception typically gets fired, just to see what happened.

CmdStr.Parameters.Add("@Text", MySqlDbType.VarChar).Value = Request.Unvalidated().Form["Text1"];

... and then, running the app, in the users' input textarea typed '<script>alert("Hello");</script>'

I thought that I had effectively bypassed the request validation protection provided by .NET and I would see first hand my little Scripting Attack. To my surprise, there was no alert pop-up. The code not only prevented the exception from firing, it laid out the JavaScript in plain text not only in the table that displays this text but also in the database.

I was under the impression that I would need to use 'Html.Encode' and 'Html.Decode' to disable or display any HTML or scripting that might be hiding in the Request data. Also that I would need to put
<httpRuntime requestValidationMode="4.5" />
in web.config. I have done neither of those things but it appears to be working fine without them.

So... What am I missing ? Is it good to go as is ?
Top Bottom