request validation powerful mechanism prevent injecting malicious code via request server. done on server-side regardless of fact whether client-side validation has done or not, 1 can sure if unusual coming exception thrown automatically.
my question: while have "request validation" in hand, still necessary sanitize requests?
i'm using asp.net mvc 5.0
ps: i'm solely talking in context of web (not db or else) , potential vulnerabilities (such xss).
yes! there plenty of valid input in asp.net's eyes cause issues in application if not dealt correctly.
for example, if passed data in request , weren't correctly parameterizing queries in data layer input:
x'; drop table users; -- could result in query:
select fieldlist users email = 'x'; drop table users; -- oh noes! you've lost users table!
you should treat user-input hostile irrespective of request validation. this demonstrates scenarios whereby request validation wouldn't save skin.
html encoding when render user-provided input important... never render untrusted input using @html.raw , careful htmlhelpers correctly encode coming user.
defence in depth important. think of request validation 1 piece of process.
Comments
Post a Comment