Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
ASP.NET MVC 4 by default ignores HTML input in a post message. If I don’t explicitly accept HTML, is there any code I need to write to defend my site against XSS attacks? I won’t be using [AllowHtml] or [ValidateInput(false)]. I’m just trying to find out if I should worry about XSS attacks or not. I’m using Razor as my view engine.
I found an excellent blog post by Amir Ismail that addresses all of your concerns. http://miroprocessordev.blogspot.com/2012/03/save-aspnet-mvc-application-against.html
To summarize what he writes.
Razor is encoded default unless
Html.Rawis used.Html.AntiForgeryToken()can be used to create a random token that will protect against CSRF however it requires the user to accept cookies.