What Is Cross Site Scripting (XSS) Attack?
The Cross Site Scripting (XSS) attack is a type
of injection and attackers inject your web applications using the client side
scripts and malicious code into web pages.
An attacker can insert vulnerability scripts and
malicious code in your web applications.
The Cross Site Scripting (XSS) attacks are common on web browsers and it carried out
on websites around 84% (approximately).
How To Prevent an ASP.NET MVC Apps?
In ASP.NET MVC by default Cross Site Scripting (XSS) attack
is validated and if any one of you tries to post JavaScript/HTML and other
XSS
attacks code in the database. It will return an error i.e.
The AllowHtml
attribute is used to allow a request to sending HTML/JavaScript codes to server which be applied to a Model
property to disable the validation.
The AllowHtml
attribute is developed for View Model
class with limited Scope and its
safe and recommended solution to prevent Cross Site Scripting (XSS) attacks in ASP.NET MVC Apps.
In ASP.Net MVC Project, follow the below steps
and prevent the XSS Attacks -
//Steps 1
//Add the following attribute the post
action in the controller that you want to allow HTML.
[ValidateInput(false)]
//Steps 2
//AllowHtml attribute is developed
for Customer View Model class.
public
class CustomerViewModel
{
[Display(Name
= "Email")]
public string
Email { get; set;
}
[AllowHtml]
public string
Name { get; set;
}
[AllowHtml]
[Display(Name = "Description")]
public string
Description { get;
set; }
}
//Steps 3
//HTML View
@model
PreventXSSAttacks.Models.CustomerViewModel
@{
ViewBag.Title = "Add Customer";
}
<h2>@ViewBag.Title.</h2>
@using
(Html.BeginForm("Create", "Customer", FormMethod.Post, new
{ @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<h4>Create
a new account.</h4>
<hr />
@Html.ValidationSummary("", new { @class =
"text-danger" })
<div
class="form-group">
@Html.LabelFor(m => m.Email, new {
@class = "col-md-2 control-label" })
<div
class="col-md-10">
@Html.TextBoxFor(m => m.Email,
new { @class = "form-control" })
</div>
</div>
<div
class="form-group">
@Html.LabelFor(m => m.Name, new {
@class = "col-md-2 control-label" })
<div
class="col-md-10">
@Html.TextBoxFor(m => m.Name,
new { @class = "form-control" })
</div>
</div>
<div
class="form-group">
@Html.LabelFor(m => m.Description,
new { @class = "col-md-2 control-label" })
<div
class="col-md-10">
@Html.TextBoxFor(m =>
m.Description, new { @class = "form-control" })
</div>
</div>
<div
class="form-group">
<div
class="col-md-offset-2
col-md-10">
<input
type="submit"
class="btn
btn-default" value="Add
Customer" />
</div>
</div>
}
//Steps 4
//Customer controller’s Action.
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public
ActionResult Create(CustomerViewModel
customer)
{
if (ModelState.IsValid)
{
StringBuilder
sb = new StringBuilder();
sb.Append(HttpUtility.HtmlEncode(customer.Description));
sb.Replace("/&/g",
"&");
sb.Replace("/</g",
"<");
sb.Replace("/>/g",
">");
sb.Replace("/\"/g",
""");
sb.Replace("/\'/g",
"'");
if
(sb.Length
> 0)
{
customer.Description
= HttpUtility.HtmlEncode(sb.ToString());
return
_custRepot.InsertCustomer(customer);
}
}
return View(customer);
}
Also, In your web.config set the validation mode –
<httpRuntime
targetFramework="4.5.1"
requestValidationMode="2.0"
/>
I hope you are
enjoying with this post! Please share with you friends. Thank you so much!