6

Is there any built-in support for validating malicious input within the Web API, similar to forms with MVC?

If not, could anyone suggest a "global" filter/message inpector/whatever to validate against malicious input? I'm trying to avoid validating all of my models/parameters individually...

Improve this question
2
  • What kind of malicious validation input you are referring to in ASP.NET MVC? Is it the antifirgery token validation? Commented Jul 2, 2013 at 21:05
  • The ValidateInput attribute and underlying asp.net infrastructure for doing this... Commented Jul 2, 2013 at 21:31

4 Answers 4

Reset to default
8

I believe XSS is not relevant to ASP.NET Web API. Here is why I think so. Suppose, in the request body, say I get a JSON like this "input": "<script>alert('hello');</script>" and the web API stores the "input" which is bound to some property as-is into a database and retrieve it as-is in a subsequent GET request and sends that off to a client, it is still okay. It is the responsibility of the client to ensure this data is escaped correctly. So, when this input property is serialized to say a web application, before it writes to the browser, the client web app must HTML encode. Web API doing this generally does not make sense because a web API can be consumed by other clients say a WPF application where XSS may not be applicable. Or am I missing any specific case you have in mind?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

7

No, I don't believe there is such support. Here's why. The input validation support with Web Forms/MVC was a stopgap measure. But encoding output is the better XSS fix; validating input doesn't work perfectly, as what input is "bad" depends on how you'll be outputting it (as part of HTML element source, as part of JS source, in an HTML attribute value, as part of a SQL query, etc.).

So I'd recommend against generic, global input validation as the solution to XSS concerns. Instead, make sure you're always encoding input correctly before outputting it (or passing it on to another layer, such as a SQL DB). For output, if you're using the normal Web API mechanisms for returning data (model classes with content negotiation/formatters), the formatters should handle the content type-specific encoding for you.

Improve this answer

1 Comment

Thanks for the answer. Well, that is unfortunate. The disparity between web api and mvc can be frustrating, because they both have so many similarities. While global input validation may not be the best solution in all cases, I'd bet that it would be the preferred solution for most applications. Not providing any solution at all seems like a cop out :)
0

Why dont you use HttpUtility.HtmlEncode?

Improve this answer

1 Comment

Right, but how is that a global solution? I'd still have to call HtmlEncode on each string property.
0

Input should always be validated. It doesn't matter where it is going. A name field should return a name string, not a jpeg file or for example depending on your environment a SQL attack.

Improve this answer

2 Comments

please check this URL it will be useful to raise your content quality up
It definitely should be validated. However, what is missing is the baseline xss validation in the framework. Developers have to do this repetitively in code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.