This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # ASP.NET MVC requests XSS Dangerous Content Validation (ValidateInput) ...
View: 3317|Reply: 2

[Source] ASP.NET MVC requests XSS Dangerous Content Validation (ValidateInput)

[Copy link]
Posted on 7/8/2023 10:05:07 PM | | | |
Requirements: Extract the source code in ASP.NET MVC to validate potentially dangerous data in the request form. Simply put, it verifies that the requested data has cross-site scripting (XSS) content,XSS is blocked by default in MVC

Cross-site scripting (XSS) is a security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attackers could exploit cross-site scripting vulnerabilities to bypass access controls such as same-origin policies.

ValidateInput: Throws validation of collections accessed via the Cookies, Form, and QueryString properties. shouldHttpRequestThe class uses the input validation flag to track whether validation is performed on a collection of requests accessing the QueryString through the Cookies property Form.

public void ValidateInput() {
            // It doesn't make sense to call this multiple times per request.
            // Additionally, if validation was suppressed, no-op now.
            if (ValidateInputWasCalled || RequestValidationSuppressed) {
                return;
            }

            _flags. Set(hasValidateInputBeenCalled);

            // This is to prevent some XSS (cross site scripting) attacks (ASURT 122278)
            _flags. Set(needToValidateQueryString);
            _flags. Set(needToValidateForm);
            _flags. Set(needToValidateCookies);
            _flags. Set(needToValidatePostedFiles);
            _flags. Set(needToValidateRawUrl);
            _flags. Set(needToValidatePath);
            _flags. Set(needToValidatePathInfo);
            _flags. Set(needToValidateHeaders);
        }

Documentation:The hyperlink login is visible.

Validate potentially hazardous data:HttpRequest -> ValidateString -> CrossSiteScriptingValidation.IsDangerousString, as shown in the figure below:



Source code address:

The hyperlink login is visible.
The hyperlink login is visible.

Copy the source code into your project and test it as follows:



Source:


If you really want to receive dangerous content, you can use Request.Unvalidated.Form

(End)




Previous:ASP.NET MVC gets all the interface addresses through reflection
Next:.NET/C# uses SqlConnectionStringBuilder to compare database connections

Related Posts
 Landlord| Posted on 7/8/2023 10:06:32 PM |
AllowHtmlAttribute class: Allows requests to include HTML markup during model binding by skipping request validation for attributes. (It is strongly recommended that applications explicitly check all models that disable request validation to prevent scripting attacks.) )

https://learn.microsoft.com/zh-c ... .allowhtmlattribute
 Landlord| Posted on 7/8/2023 10:06:49 PM |
ValidateAntiForgeryToken and AutoValidateAntiforgeryToken anti-counterfeiting tags are explained in detail
https://www.itsvse.com/thread-9568-1-1.html
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com