SlideShare a Scribd company logo

ASPNET_MVC_Tutorial_06_CS

T
tutorialsruby
TechnologyBusiness
1 of 10
Download to read offline
MVC :: Preventing JavaScript Injection Attacks The goal of this tutorial is to explain how you can prevent JavaScript injection attacks in your ASP.NET MVC applications. This tutorial discusses two approaches to defending your website against a JavaScript injection attack. You learn how to prevent JavaScript injection attacks by encoding the data that you display. You also learn how to prevent JavaScript injection attacks by encoding the data that you accept. What is a JavaScript Injection Attack? Whenever you accept user input and redisplay the user input, you open your website to JavaScript injection attacks. Let’s examine a concrete application that is open to JavaScript injection attacks. Imagine that you have created a customer feedback website (see Figure 1). Customers can visit the website and enter feedback on their experience using your products. When a customer submits their feedback, the feedback is redisplayed on the feedback page.
Figure 1 – Customer Feedback Website The customer feedback website uses the controller in Listing 1. This controller contains two actions named Index() and Create(). Listing 1 – HomeController.cs using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers
{ [HandleError] public class HomeController : Controller { private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() { return View(db.Feedbacks); } public ActionResult Create(string message) { // Add feedback var newFeedback = new Feedback(); newFeedback.Message = message; newFeedback.EntryDate = DateTime.Now; db.Feedbacks.InsertOnSubmit(newFeedback); db.SubmitChanges(); // Redirect return RedirectToAction("Index"); } } } The Index() method displays the Index view. This method passes all of the previous customer feedback to the Index view by retrieving the feedback from the database (using a LINQ to SQL query). The Create() method creates a new Feedback item and adds it to the database. The message that the customer enters in the form is passed to the Create() method in the message parameter. A Feedback item is created and the message is assigned to the Feedback item’s Message property. The Feedback item is submitted to the database with the DataContext.SubmitChanges() method call. Finally, the visitor is redirected back to the Index view where all of the feedback is displayed. The Index view is contained in Listing 2.
Listing 2 – Index.aspx <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>Customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/Home/Create"> <label for="message">Message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="Submit Feedback" /> </form> <% foreach (Feedback feedback in ViewData.Model) {%> <p> <%=feedback.EntryDate.ToShortTimeString()%> -- <%=feedback.Message%> </p> <% }%> </asp:Content> The Index view has two sections. The top section contains the actual customer feedback form. The bottom section contains a For..Each loop that loops through all of the previous customer feedback items and displays the EntryDate and Message properties for each feedback item.
The customer feedback website is a simple website. Unfortunately, the website is open to JavaScript injection attacks. Imagine that you enter the following text into the customer feedback form: <script>alert(“Boo!”)</script> This text represents a JavaScript script that displays an alert message box. After someone submits this script into the feedback form, the message Boo! will appear whenever anyone visits the customer feedback website in the future (see Figure 2). Figure 2 – JavaScript Injection
Now, your initial response to JavaScript injection attacks might be apathy. You might think that JavaScript injection attacks are simply a type of defacement attack. You might believe that no one can do anything truly evil by committing a JavaScript injection attack. Unfortunately, a hacker can do some really, really evil things by injecting JavaScript into a website. You can use a JavaScript injection attack to perform a Cross-Site Scripting (XSS) attack. In a Cross-Site Scripting attack, you steal confidential user information and send the information to another website. For example, a hacker can use a JavaScript injection attack to steal the values of browser cookies from other users. If sensitive information -- such as passwords, credit card numbers, or social security numbers – is stored in the browser cookies, then a hacker can use a JavaScript injection attack to steal this information. Or, if a user enters sensitive information in a form field contained in a page that has been compromised with a JavaScript attack, then the hacker can use the injected JavaScript to grab the form data and send it to another website. Please be scared. Take JavaScript injection attacks seriously and protect your user’s confidential information. In the next two sections, we discuss two techniques that you can use to defend your MVC applications from JavaScript injection attacks. Approach #1: HTML Encode in the View One easy method of preventing JavaScript injection attacks is to HTML encode any data entered by website users when you redisplay the data in a view. The updated Index view in Listing 3 follows this approach. Listing 3 – Index.aspx (HTML Encoded) <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>Customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/Home/Create"> <label for="message">Message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="Submit Feedback" />
</form> <% foreach (Feedback feedback in ViewData.Model) {%> <p> <%=feedback.EntryDate.ToShortTimeString()%> -- <%=Html.Encode(feedback.Message)%> </p> <% }%> </asp:Content> Notice that the value of feedback.Message is HTML encoded before the value is displayed with the following code: <%=Html.Encode(feedback.Message)%> What does it mean to HTML encode a string? When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as &lt; and &gt;. So when the string <script>alert("Boo!")</script> is HTML encoded, it gets converted to &lt;script&gt;alert(&quot;Boo!&quot;)&lt;/script&gt;. The encoded string no longer executes as a JavaScript script when interpreted by a browser. Instead, you get the harmless page in Figure 3.
Figure 3 – Defeated JavaScript Attack Notice that in the Index view in Listing 3 only the value of feedback.Message is encoded. The value of feedback.EntryDate is not encoded. You only need to encode data entered by a user. Because the value of EntryDate was generated in the controller, you don’t need to HTML encode this value. Approach #2: HTML Encode in the Controller Instead of HTML encoding data when you display the data in a view, you can HTML encode the data just before you submit the data to the database. This second approach is taken in the case of the controller in Listing 4. Listing 4 – HomeController.cs (HTML Encoded) using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers {
[HandleError] public class HomeController : Controller { private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() { return View(db.Feedbacks); } public ActionResult Create(string message) { // Add feedback var newFeedback = new Feedback(); newFeedback.Message = Server.HtmlEncode(message); newFeedback.EntryDate = DateTime.Now; db.Feedbacks.InsertOnSubmit(newFeedback); db.SubmitChanges(); // Redirect return RedirectToAction("Index"); } } } Notice that the value of Message is HTML encoded before the value is submitted to the database within the Create() action. When the Message is redisplayed in the view, the Message is HTML encoded and any JavaScript injected in the Message is not executed. Typically, you should favor the first approach discussed in this tutorial over this second approach. The problem with this second approach is that you end up with HTML encoded data in your database. In other words, your database data is dirtied with funny looking characters. Why is this bad? If you ever need to display the database data in something other than a web page, then you will have problems. For example, you can no longer easily display the data in a Windows Forms application.
Summary The purpose of this tutorial was to scare you about the prospect of a JavaScript injection attack. This tutorial discussed two approaches for defending your ASP.NET MVC applications against JavaScript injection attacks: you can either HTML encode user submitted data in the view or you can HTML encode user submitted data in the controller.

Recommended

Mvc acchitecture
Mvc acchitectureMvc acchitecture
Mvc acchitecturelaxmi.katkar
 
ajax_pdf
ajax_pdfajax_pdf
ajax_pdftutorialsruby
 
AJAX
AJAXAJAX
AJAXGouthaman V
 
Java Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsJava Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsAleksandar Ilić
 
Ejb6
Ejb6Ejb6
Ejb6patinijava
 
Entity Manager
Entity ManagerEntity Manager
Entity Managerpatinijava
 
Asp.NET MVC
Asp.NET MVCAsp.NET MVC
Asp.NET MVCvrluckyin
 
LearningMVCWithLINQToSQL
LearningMVCWithLINQToSQLLearningMVCWithLINQToSQL
LearningMVCWithLINQToSQLAkhil Mittal
 

Recommended

Mvc acchitecture
Mvc acchitectureMvc acchitecture
Mvc acchitecturelaxmi.katkar
 
ajax_pdf
ajax_pdfajax_pdf
ajax_pdftutorialsruby
 
AJAX
AJAXAJAX
AJAXGouthaman V
 
Java Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsJava Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsAleksandar Ilić
 
Ejb6
Ejb6Ejb6
Ejb6patinijava
 
Entity Manager
Entity ManagerEntity Manager
Entity Managerpatinijava
 
Asp.NET MVC
Asp.NET MVCAsp.NET MVC
Asp.NET MVCvrluckyin
 
LearningMVCWithLINQToSQL
LearningMVCWithLINQToSQLLearningMVCWithLINQToSQL
LearningMVCWithLINQToSQLAkhil Mittal
 
WP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesWP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesMICTT Palma
 
Mockito junit
Mockito junitMockito junit
Mockito junitSantiago Plascencia
 
Building richwebapplicationsusingasp
Building richwebapplicationsusingaspBuilding richwebapplicationsusingasp
Building richwebapplicationsusingaspGiovanni Javier Jimenez Cadena
 
Asp.net mvc training
Asp.net mvc trainingAsp.net mvc training
Asp.net mvc trainingicubesystem
 
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010vchircu
 
AI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You TypedAI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You TypedMarvin Heng
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1Azrul MADISA
 
Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008Jonas Follesø
 
16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointments16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointmentsWindowsPhoneRocks
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmJohan Nilsson
 
MongoDB Stitch Tutorial
MongoDB Stitch TutorialMongoDB Stitch Tutorial
MongoDB Stitch TutorialMongoDB
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
ASP.NET MVC3 RAD
ASP.NET MVC3 RADASP.NET MVC3 RAD
ASP.NET MVC3 RADMădălin Ștefîrcă
 
Server side programming bt0083
Server side programming bt0083Server side programming bt0083
Server side programming bt0083Divyam Pateriya
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivitiesmaamir farooq
 
Repository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkRepository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkAkhil Mittal
 
collapsible-panels-tutorial
collapsible-panels-tutorialcollapsible-panels-tutorial
collapsible-panels-tutorialtutorialsruby
 
LibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresentedLibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresentedtutorialsruby
 
treeview
treeviewtreeview
treeviewtutorialsruby
 
presentation
presentationpresentation
presentationtutorialsruby
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratchtutorialsruby
 
catalog
catalogcatalog
catalogtutorialsruby
 

More Related Content

What's hot

WP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesWP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesMICTT Palma
 
Asp.net mvc training
Asp.net mvc trainingAsp.net mvc training
Asp.net mvc trainingicubesystem
 
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010vchircu
 
AI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You TypedAI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You TypedMarvin Heng
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1Azrul MADISA
 
Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008Jonas Follesø
 
16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointments16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointmentsWindowsPhoneRocks
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmJohan Nilsson
 
MongoDB Stitch Tutorial
MongoDB Stitch TutorialMongoDB Stitch Tutorial
MongoDB Stitch TutorialMongoDB
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Server side programming bt0083
Server side programming bt0083Server side programming bt0083
Server side programming bt0083Divyam Pateriya
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivitiesmaamir farooq
 
Repository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkRepository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkAkhil Mittal
 

What's hot (16)

WP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesWP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data Services
 
Mockito junit
Mockito junitMockito junit
Mockito junit
 
Building richwebapplicationsusingasp
Building richwebapplicationsusingaspBuilding richwebapplicationsusingasp
Building richwebapplicationsusingasp
 
Asp.net mvc training
Asp.net mvc trainingAsp.net mvc training
Asp.net mvc training
 
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
ChircuVictor StefircaMadalin rad_aspmvc3_wcf_vs2010
 
AI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You TypedAI: Mobile Apps That Understands Your Intention When You Typed
AI: Mobile Apps That Understands Your Intention When You Typed
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1
 
Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008Silverlight 2 for Developers - TechEd New Zealand 2008
Silverlight 2 for Developers - TechEd New Zealand 2008
 
16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointments16 interacting with user data contacts and appointments
16 interacting with user data contacts and appointments
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG Stockholm
 
MongoDB Stitch Tutorial
MongoDB Stitch TutorialMongoDB Stitch Tutorial
MongoDB Stitch Tutorial
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
ASP.NET MVC3 RAD
ASP.NET MVC3 RADASP.NET MVC3 RAD
ASP.NET MVC3 RAD
 
Server side programming bt0083
Server side programming bt0083Server side programming bt0083
Server side programming bt0083
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivities
 
Repository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity FrameworkRepository Pattern in MVC3 Application with Entity Framework
Repository Pattern in MVC3 Application with Entity Framework
 

Viewers also liked

collapsible-panels-tutorial
collapsible-panels-tutorialcollapsible-panels-tutorial
collapsible-panels-tutorialtutorialsruby
 
LibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresentedLibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresentedtutorialsruby
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratchtutorialsruby
 

Viewers also liked (8)

collapsible-panels-tutorial
collapsible-panels-tutorialcollapsible-panels-tutorial
collapsible-panels-tutorial
 
LibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresentedLibX2.0-Code4Lib-2009AsPresented
LibX2.0-Code4Lib-2009AsPresented
 
treeview
treeviewtreeview
treeview
 
presentation
presentationpresentation
presentation
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratch
 
catalog
catalogcatalog
catalog
 
javascript2
javascript2javascript2
javascript2
 
veracruz
veracruzveracruz
veracruz
 

Similar to ASPNET_MVC_Tutorial_06_CS

Adding a view
Adding a viewAdding a view
Adding a viewNhan Do
 
Aspnet mvc tutorial_01_cs
Aspnet mvc tutorial_01_csAspnet mvc tutorial_01_cs
Aspnet mvc tutorial_01_csAlfa Gama Omega
 
MVC Design Pattern in JavaScript by ADMEC Multimedia Institute
MVC Design Pattern in JavaScript by ADMEC Multimedia InstituteMVC Design Pattern in JavaScript by ADMEC Multimedia Institute
MVC Design Pattern in JavaScript by ADMEC Multimedia InstituteRavi Bhadauria
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentationBhavin Shah
 
Mvc interview questions – deep dive jinal desai
Mvc interview questions – deep dive jinal desaiMvc interview questions – deep dive jinal desai
Mvc interview questions – deep dive jinal desaijinaldesailive
 
Secure mvc application saineshwar
Secure mvc application saineshwarSecure mvc application saineshwar
Secure mvc application saineshwarSaineshwar bageri
 
Learn about dot net attributes
Learn about dot net attributesLearn about dot net attributes
Learn about dot net attributessonia merchant
 
Ways to Set Focus on an Input Field After Rendering in React.pptx
Ways to Set Focus on an Input Field After Rendering in React.pptxWays to Set Focus on an Input Field After Rendering in React.pptx
Ways to Set Focus on an Input Field After Rendering in React.pptxBOSC Tech Labs
 
Aspnet mvc tutorial_9_cs
Aspnet mvc tutorial_9_csAspnet mvc tutorial_9_cs
Aspnet mvc tutorial_9_csMurali G
 
Server side rendering with React and Symfony
Server side rendering with React and SymfonyServer side rendering with React and Symfony
Server side rendering with React and SymfonyIgnacio Martín
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXIMC Institute
 
Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event HandlingWebStackAcademy
 
.NET Portfolio
.NET Portfolio.NET Portfolio
.NET Portfoliomwillmer
 
ASP.net Manual final.pdf
ASP.net Manual final.pdfASP.net Manual final.pdf
ASP.net Manual final.pdfSwapnilGujar13
 

Similar to ASPNET_MVC_Tutorial_06_CS (20)

Adding a view
Adding a viewAdding a view
Adding a view
 
Aspnet mvc tutorial_01_cs
Aspnet mvc tutorial_01_csAspnet mvc tutorial_01_cs
Aspnet mvc tutorial_01_cs
 
MVC Design Pattern in JavaScript by ADMEC Multimedia Institute
MVC Design Pattern in JavaScript by ADMEC Multimedia InstituteMVC Design Pattern in JavaScript by ADMEC Multimedia Institute
MVC Design Pattern in JavaScript by ADMEC Multimedia Institute
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentation
 
Asp.Net MVC Intro
Asp.Net MVC IntroAsp.Net MVC Intro
Asp.Net MVC Intro
 
Mvc interview questions – deep dive jinal desai
Mvc interview questions – deep dive jinal desaiMvc interview questions – deep dive jinal desai
Mvc interview questions – deep dive jinal desai
 
Secure mvc application saineshwar
Secure mvc application saineshwarSecure mvc application saineshwar
Secure mvc application saineshwar
 
ajax_pdf
ajax_pdfajax_pdf
ajax_pdf
 
Learn about dot net attributes
Learn about dot net attributesLearn about dot net attributes
Learn about dot net attributes
 
Ways to Set Focus on an Input Field After Rendering in React.pptx
Ways to Set Focus on an Input Field After Rendering in React.pptxWays to Set Focus on an Input Field After Rendering in React.pptx
Ways to Set Focus on an Input Field After Rendering in React.pptx
 
Aspnet mvc tutorial_9_cs
Aspnet mvc tutorial_9_csAspnet mvc tutorial_9_cs
Aspnet mvc tutorial_9_cs
 
React JS .NET
React JS .NETReact JS .NET
React JS .NET
 
Server side rendering with React and Symfony
Server side rendering with React and SymfonyServer side rendering with React and Symfony
Server side rendering with React and Symfony
 
React js
React jsReact js
React js
 
JavaScript
JavaScriptJavaScript
JavaScript
 
Java Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAXJava Web Programming [8/9] : JSF and AJAX
Java Web Programming [8/9] : JSF and AJAX
 
Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling Angular - Chapter 4 - Data and Event Handling
Angular - Chapter 4 - Data and Event Handling
 
.NET Portfolio
.NET Portfolio.NET Portfolio
.NET Portfolio
 
ASP.net Manual final.pdf
ASP.net Manual final.pdfASP.net Manual final.pdf
ASP.net Manual final.pdf
 
MVC Training Part 1
MVC Training Part 1MVC Training Part 1
MVC Training Part 1
 

More from tutorialsruby

&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>tutorialsruby
 
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>tutorialsruby
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />tutorialsruby
 
Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0tutorialsruby
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269tutorialsruby
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269tutorialsruby
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008tutorialsruby
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008tutorialsruby
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheetstutorialsruby
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheetstutorialsruby
 

More from tutorialsruby (20)

&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
TopStyle Help &amp; &lt;b>Tutorial&lt;/b>
 
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting &lt;b>...&lt;/b>
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />&lt;img src="../i/r_14.png" />
&lt;img src="../i/r_14.png" />
 
Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0Standardization and Knowledge Transfer – INS0
Standardization and Knowledge Transfer – INS0
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
xhtml-documentation
xhtml-documentationxhtml-documentation
xhtml-documentation
 
xhtml-documentation
xhtml-documentationxhtml-documentation
xhtml-documentation
 
CSS
CSSCSS
CSS
 
CSS
CSSCSS
CSS
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
 
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa0602690047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
0047ecaa6ea3e9ac0a13a2fe96f4de3bfd515c88f5d90c1fae79b956363d7f02c7fa060269
 
HowTo_CSS
HowTo_CSSHowTo_CSS
HowTo_CSS
 
HowTo_CSS
HowTo_CSSHowTo_CSS
HowTo_CSS
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
 
BloggingWithStyle_2008
BloggingWithStyle_2008BloggingWithStyle_2008
BloggingWithStyle_2008
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
 
cascadingstylesheets
cascadingstylesheetscascadingstylesheets
cascadingstylesheets
 

Recently uploaded

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 

Recently uploaded (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 

ASPNET_MVC_Tutorial_06_CS

  • 1. MVC :: Preventing JavaScript Injection Attacks The goal of this tutorial is to explain how you can prevent JavaScript injection attacks in your ASP.NET MVC applications. This tutorial discusses two approaches to defending your website against a JavaScript injection attack. You learn how to prevent JavaScript injection attacks by encoding the data that you display. You also learn how to prevent JavaScript injection attacks by encoding the data that you accept. What is a JavaScript Injection Attack? Whenever you accept user input and redisplay the user input, you open your website to JavaScript injection attacks. Let’s examine a concrete application that is open to JavaScript injection attacks. Imagine that you have created a customer feedback website (see Figure 1). Customers can visit the website and enter feedback on their experience using your products. When a customer submits their feedback, the feedback is redisplayed on the feedback page.
  • 2. Figure 1 – Customer Feedback Website The customer feedback website uses the controller in Listing 1. This controller contains two actions named Index() and Create(). Listing 1 – HomeController.cs using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers
  • 3. { [HandleError] public class HomeController : Controller { private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() { return View(db.Feedbacks); } public ActionResult Create(string message) { // Add feedback var newFeedback = new Feedback(); newFeedback.Message = message; newFeedback.EntryDate = DateTime.Now; db.Feedbacks.InsertOnSubmit(newFeedback); db.SubmitChanges(); // Redirect return RedirectToAction("Index"); } } } The Index() method displays the Index view. This method passes all of the previous customer feedback to the Index view by retrieving the feedback from the database (using a LINQ to SQL query). The Create() method creates a new Feedback item and adds it to the database. The message that the customer enters in the form is passed to the Create() method in the message parameter. A Feedback item is created and the message is assigned to the Feedback item’s Message property. The Feedback item is submitted to the database with the DataContext.SubmitChanges() method call. Finally, the visitor is redirected back to the Index view where all of the feedback is displayed. The Index view is contained in Listing 2.
  • 4. Listing 2 – Index.aspx <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>Customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/Home/Create"> <label for="message">Message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="Submit Feedback" /> </form> <% foreach (Feedback feedback in ViewData.Model) {%> <p> <%=feedback.EntryDate.ToShortTimeString()%> -- <%=feedback.Message%> </p> <% }%> </asp:Content> The Index view has two sections. The top section contains the actual customer feedback form. The bottom section contains a For..Each loop that loops through all of the previous customer feedback items and displays the EntryDate and Message properties for each feedback item.
  • 5. The customer feedback website is a simple website. Unfortunately, the website is open to JavaScript injection attacks. Imagine that you enter the following text into the customer feedback form: <script>alert(“Boo!”)</script> This text represents a JavaScript script that displays an alert message box. After someone submits this script into the feedback form, the message Boo! will appear whenever anyone visits the customer feedback website in the future (see Figure 2). Figure 2 – JavaScript Injection
  • 6. Now, your initial response to JavaScript injection attacks might be apathy. You might think that JavaScript injection attacks are simply a type of defacement attack. You might believe that no one can do anything truly evil by committing a JavaScript injection attack. Unfortunately, a hacker can do some really, really evil things by injecting JavaScript into a website. You can use a JavaScript injection attack to perform a Cross-Site Scripting (XSS) attack. In a Cross-Site Scripting attack, you steal confidential user information and send the information to another website. For example, a hacker can use a JavaScript injection attack to steal the values of browser cookies from other users. If sensitive information -- such as passwords, credit card numbers, or social security numbers – is stored in the browser cookies, then a hacker can use a JavaScript injection attack to steal this information. Or, if a user enters sensitive information in a form field contained in a page that has been compromised with a JavaScript attack, then the hacker can use the injected JavaScript to grab the form data and send it to another website. Please be scared. Take JavaScript injection attacks seriously and protect your user’s confidential information. In the next two sections, we discuss two techniques that you can use to defend your MVC applications from JavaScript injection attacks. Approach #1: HTML Encode in the View One easy method of preventing JavaScript injection attacks is to HTML encode any data entered by website users when you redisplay the data in a view. The updated Index view in Listing 3 follows this approach. Listing 3 – Index.aspx (HTML Encoded) <%@ Page Language="C#" MasterPageFile="~/Views/Shared/Site.Master" AutoEventWireup="true" CodeBehind="Index.aspx.cs" Inherits="CustomerFeedback.Views.Home.Index" %> <%@ Import Namespace="CustomerFeedback.Models" %> <asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server"> <h1>Customer Feedback</h1> <p> Please use the following form to enter feedback about our product. </p> <form method="post" action="/Home/Create"> <label for="message">Message:</label> <br /> <textarea name="message" cols="50" rows="2"></textarea> <br /><br /> <input type="submit" value="Submit Feedback" />
  • 7. </form> <% foreach (Feedback feedback in ViewData.Model) {%> <p> <%=feedback.EntryDate.ToShortTimeString()%> -- <%=Html.Encode(feedback.Message)%> </p> <% }%> </asp:Content> Notice that the value of feedback.Message is HTML encoded before the value is displayed with the following code: <%=Html.Encode(feedback.Message)%> What does it mean to HTML encode a string? When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as &lt; and &gt;. So when the string <script>alert("Boo!")</script> is HTML encoded, it gets converted to &lt;script&gt;alert(&quot;Boo!&quot;)&lt;/script&gt;. The encoded string no longer executes as a JavaScript script when interpreted by a browser. Instead, you get the harmless page in Figure 3.
  • 8. Figure 3 – Defeated JavaScript Attack Notice that in the Index view in Listing 3 only the value of feedback.Message is encoded. The value of feedback.EntryDate is not encoded. You only need to encode data entered by a user. Because the value of EntryDate was generated in the controller, you don’t need to HTML encode this value. Approach #2: HTML Encode in the Controller Instead of HTML encoding data when you display the data in a view, you can HTML encode the data just before you submit the data to the database. This second approach is taken in the case of the controller in Listing 4. Listing 4 – HomeController.cs (HTML Encoded) using System; using System.Web.Mvc; using CustomerFeedback.Models; namespace CustomerFeedback.Controllers {
  • 9. [HandleError] public class HomeController : Controller { private FeedbackDataContext db = new FeedbackDataContext(); public ActionResult Index() { return View(db.Feedbacks); } public ActionResult Create(string message) { // Add feedback var newFeedback = new Feedback(); newFeedback.Message = Server.HtmlEncode(message); newFeedback.EntryDate = DateTime.Now; db.Feedbacks.InsertOnSubmit(newFeedback); db.SubmitChanges(); // Redirect return RedirectToAction("Index"); } } } Notice that the value of Message is HTML encoded before the value is submitted to the database within the Create() action. When the Message is redisplayed in the view, the Message is HTML encoded and any JavaScript injected in the Message is not executed. Typically, you should favor the first approach discussed in this tutorial over this second approach. The problem with this second approach is that you end up with HTML encoded data in your database. In other words, your database data is dirtied with funny looking characters. Why is this bad? If you ever need to display the database data in something other than a web page, then you will have problems. For example, you can no longer easily display the data in a Windows Forms application.
  • 10. Summary The purpose of this tutorial was to scare you about the prospect of a JavaScript injection attack. This tutorial discussed two approaches for defending your ASP.NET MVC applications against JavaScript injection attacks: you can either HTML encode user submitted data in the view or you can HTML encode user submitted data in the controller.