ALX
Well-known member
I've been going back & forth on the issue of user input validation as far as protecting my MVC site from xss attacks. I'm using VS2019 with .NET 4.8. The app includes a very simple feedback forum with user input for Name, EMail & Comments. From the controller, existing database data is sent as a datatable (dt1) to the View in the Viewbag. A simplified version of the code in the View involves a table for displaying existing posts as:
And the current user's input is accepted in textboxes and a textarea as:
By disabling validation and without using any additional XSS protection schemes, I have been unable to enter any input that would be rendered as active HTML. Everything I input; <script>alert("XSS attack")</script> etc is rendered as plain text, which is exactly what I want. There is no need to allow HTML in any of the input fields. In spite of the fact that it works perfectly as is, I have been warned by many that I still need to sanitize the input. OK, fine...
With AntiXSS and other encoders as well, an apostrophe is displayed in the table as ' so if the user enters "Sam's" it gets displayed as Sam's. That and a few other encoding examples are simply not acceptable, so I've been tossing aound the idea of creating my own little blacklist... Say maybe a small procedure in the Model to alter certain characters and remove others...
I would greatly appreciate any critique & guidance here. If this blacklist approach could work, I'd be thankful for more character suggestions that need to be modified.
VB.NET:
<table>
@for (int j = ViewBag.dt1.Rows.Count - 1; j >= 0; j--)
<tr>
<td>@ViewBag.dt1.Rows[j][0]</td> @*UserName*@
<td>@ViewBag.dt1.Rows[j][2]</td> @*Date*@
<td>@ViewBag.dt1.Rows[j][1]</td> @*email (Displayed as "******")*@
<td>@ViewBag.dt1.Rows[j][3]</td> @*Text*@
</tr>
</table>
And the current user's input is accepted in textboxes and a textarea as:
VB.NET:
@Html.TextBoxFor(m => m.UserName1 ... etc.
@Html.TextBoxFor(m => m.EMail2 ...
@Html.TextAreaFor(m => m.Text1 ...
By disabling validation and without using any additional XSS protection schemes, I have been unable to enter any input that would be rendered as active HTML. Everything I input; <script>alert("XSS attack")</script> etc is rendered as plain text, which is exactly what I want. There is no need to allow HTML in any of the input fields. In spite of the fact that it works perfectly as is, I have been warned by many that I still need to sanitize the input. OK, fine...
With AntiXSS and other encoders as well, an apostrophe is displayed in the table as ' so if the user enters "Sam's" it gets displayed as Sam's. That and a few other encoding examples are simply not acceptable, so I've been tossing aound the idea of creating my own little blacklist... Say maybe a small procedure in the Model to alter certain characters and remove others...
VB.NET:
public string CleanText(string Text)
{
Text = Text.Replace((char)39, (char)700); // Swap apostrophe with modifier letter apostrophe
Text = Text.Replace((char)60, (char)32); // Get rid of angle brackets
Text = Text.Replace((char)62, (char)32);
...
return Text;
}
I would greatly appreciate any critique & guidance here. If this blacklist approach could work, I'd be thankful for more character suggestions that need to be modified.
Last edited: