Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why?
This is a hard line to cross. Is your web application just a RESTful web resource like it ‘should’ be? Or is it trying to do more. Next thing you know you have 100 hidden input fields: __VIEWSTATE, __EVENTTARGET, __EVENTARGUMENT, etc, etc.
As you know, you can still prevent XSS attacks in MVC. Just google it to see several examples. But the reason is basically that MVC is a different, ‘cleaner’ type of web application.
EDIT: I don’t know if what I’ve said above is clear. But the idea is that MVC isn’t going to try to be more than what it is (like ASP.NET does). They both have their strong points and reasons.