What is the best way to sanitize the user input in asp.net mvc without throwing “potentially dangerous request.form” exception and still preventing the xss attack for the post requests which contains dangerous tags.
Edit:
I tried the AntiXss and created custom encoder which encodes all the submitted values at runtime but the problem is that it is still throwing the exception. Actually I am not figuring out that exactly where (which event) I can ensure that the request contains nothing dangerous and if it contains something dangerous, I can redirect it to another Action rather than throwing exception.
Disable the automatic form checking, and use Microsoft Anti-Cross Site Scripting Library to manually check each relevant field for XSS.
Of course, in MVC some of the checks come out of the box. If, for example, your action method contains an int parameter called
productID, and the user submits a form with a productID field, it’s automatically populated by MVC’s model binder mechanism and you get a “strong” int which you can count on. No text inside, no problems.So all you have to check are the text-based fields.