ASP.NET MVC - Validate Request

<< ASP.NET MVC - Beautifying Views | Home | Method not found: 'Castle.Windsor.IWindsorContainer Castle.Windsor.IWindsorContainer.AddComponentLifeStyle(System.String, System.Type, Castle.Core.LifestyleType)'. >>

ASP.NET MVC - Validate Request

Since .NET 2.0 Asp.net webforms has protected the programmer from cross-site scripting by validating all input sent to the server. Unfortunately, this does not happen in Asp.net mvc. I tested my application by typing 'alert("xss");' surrounded by script tags in the first name textbox. The form saved successfully and I got a javascript alert box with the message "xss".

In asp.net mvc it is the programmers responsibility to validate all input. Calling Request.ValidateInput() in a controller tells the framework that any values read from the request should be validated. If an invalid character is found a HttpRequestValidationException is thrown.

Here is an example implementation:

    Request.ValidateInput();                  
    try { UpdateModel(b, new[] { "FirstName", "LastName", "Email" }); }         
    catch (HttpRequestValidationException) { /* Handle request validation error  */ }

Print posted @ Tuesday, September 16, 2008 8:42 PM

Feedback

# re: ASP.NET MVC - Validate Request

Sorry, this isn't really a blog comment. Is it possible someone could look at the eclipsewebsolutions forum as I posted a bug many weeks ago and would love some help with it. I've posted a sample too. I really would love to use the date picker control but can't if the settings are not persistent :(
My post is in the general forum titled "Problem with css setting not persistent"
Many thanks
10/8/2008 3:59 AM | muppet

Liam McLennan