i have a model and a form in the view. i have a simple field of string which is called description. i am able to insert scripts like: <script>alert('xss')</script> to that field. i can see that in other actions in my site with other model i can't i do not have an AllowHtml or anything like that.
the only difference is that for this model i do a post with a json object and content-type of application/json the ModelState.IsValid is returning true. even though there is a description property with an xss script on it...
and for the other actions i do a simple ajax post.
why isn't the validation input work on this kind of JSON ajax posts? how can i prevent xss across the entire site for this kind of ajax requests?
thanks
from input validation not working on asp.net mvc 4 model sent as JSON
No comments:
Post a Comment