Home/ Questions/Q 9000369
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T00:18:11+00:00

I needed something like is described here (a method to render a partial view

  • 0

I needed something like is described here (a method to render a partial view to a string so I can pass it along with some other data as a JsonResult)

Render a view as a string

The top answer seems to be working well but I’m wondering if this opens a vector for XSS CSS Injection?

If it does, would it be as easy as html encoding the result before returning it to prevent it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Whether you are using Json, HTML Partial views, or not the HTTP POST actions should
    provide some XSS defense.
    Which means The Get was supplied with same token.
    Typically in Razor… The token is added, then checked in POST Action.

    Html.BeginForm
 @Html.AntiForgeryToken()



 [HttpPost]
 [ValidateAntiForgeryToken]
  public AResultTypeHere SomeActionMethod(myModel model)

    or you use your own hidden field and implement some check.
    So Yes, make sure HTTP posts are protected.
    http://www.veracode.com/security/xss as a starter.

    There is also MVC based material on the topic, eg
    http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx

    • 0