1

Any suggestions for best practice on validating/cleaning user input in ASP.NET MVC. It seems ValidateInput will almost always need to be set to False since it cant be handled from within the MVC framework (the error is thrown even before the Action Method is fired).

So how should the input be validated for malicious input. Do we have to manually screen each input and check it for characters such as <, >, " etc How about if we only wish to allow some types of input such as tags but forbid and other inputs? This must be a pretty common requirement of a web app now, but I can't see much in ASP.NET MVC to automate this.

Improve this question

1 Answer 1

Reset to default
2

So how should the input be validated for malicious input. \

It depends on what your application is doing with this input. If you are storing it in a relational database for example, well, as long as you use parametrized queries and properly encode the user request, relational database don't care about storing for example alert('foo'); in a given column. When you might get into trouble is when you try to fetch the result stored in this database and show it on some view. It is at that moment that you must ensure that the result is properly HTML encoded.

So for example let's suppose that you have stored some hyper dangerous string in your data store and you want to display it on your view. If you were using the Razor view engine you would simply:

@Html.DisplayFor(x => x.SomeProperty)

which will take care of properly HTML encoding the value of SomeProperty so that you don;t have to worry about.

And if you were using the WebForms view engine:

<%= Html.DisplayFor(x => x.SomeProperty) %>

So, as you can see there are two critical moments where you should be careful with the user input:

  • always use parametrized queries if you are storing this user input into a relational database
  • always HTML encode the value you have stored when time comes to render it on some view
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yes, I understand that. However, allowing potentially harmful input into the database isn't a good idea. No guarantee that down the road when the UI is changed it won't be output in Raw by mistake. Surely it can't be acceptable to allow dangerous input in the first place. Also it wouldn't look good for the web if that sort of input was simply allowed to be entered and alert('foo') showed up as output text.
@Judo, I don't agree with you. Simply store the user input as is into the database. Relational databases don't care about harmful input as long as you store it properly. Believe me if you start modifying the user input before storing it into the database you will get into more problems than you are trying to solve. So if you follow the two fundamental rules I provided in my answer you are safe.
@Judo - Another thing to consider is it very hard to validate incoming data for the infinite supply of javascript vulnerabilities that pop up every year. You'd essentially be fighting a losing battle. Simply using Razor or <%; pretty much guarantees you won't have any of these issues and is far cheaper in terms of effort.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.