Preventing Cross Site Scripting Attacks in ASP. NET MVC 4. Introduction. A website is exposed to various types of attacks and one of the most common types of attack is what is known as Cross Site Scripting (XSS). In a cross site scripting attack, malicious markup and script is entered in the web pages that are viewed by other users. If proper care is not taken to filter this malicious piece of markup, the script gets stored in the system and also rendered on web pages.

Bipin Joshi discusses some of the basics involved in the process of.

I just spent a couple hours trying to figure out why my Edit action was not catching UserId value when I try to get a single object. This did not work

Kendo-grid search box in toolbar in mvc with razor syntax, I am facing i need toolbar in which searching box, this searching box search into grid data. ReactJS.NET makes it easier to use Facebook's React and JSX from C# and other.NET languages, focusing specifically on ASP.NET MVC (although it also. Edit Article wiki How to Make a GUI Grid in Java. One Methods: Steps Code Community Q&A. The Grid does nothing special at this stage, but with a little bit of. Series Index Part 1: Introduction Part 2: ModelMetadata Part 3: Default Templates Part 4: Custom Object Templates Part 5: Master Page Templates Customizing Templates.

Depending on the script injected by the hacker it can cause damage ranging from annoying popups to stolen credentials to accessing data stored in cookies. Therefore, it is important for ASP.

NET MVC developers to prevent these types of attacks. Luckily, ASP. NET MVC offers a helping hand in safeguarding your websites. This article discusses some of the basics involved in the process. What is Cross Site Scripting Attack?

In order to understand what a cross site scripting attack is, let's develop a simple ASP. NET MVC website that accepts some user input. Suppose that you are developing a blog engine and users are allowed to leave comments on blog posts.

The following figure shows how the comments might be accepted: Comment Box. As you might have guessed, the user can enter any text in the textbox and the textarea, including HTML markup tags and script fragments! Once the form is submitted the posted data is saved in the database as shown below: public Action. Result Save. Data(Form. Collection form).

The Save. Data() method saves the data in a SQL Server database table named Comments. So far so good. Now assume that a use enters the following text in the comments textarea: < h. Hello World!< /h. Cross site scripting attack!').

When such a user posts the above content it gets saved in the database. Later when this saved content is rendered on a web page it executes the script! Executed Script. What the above example illustrates is a very mild version of a cross site scripting attack. Imagine what would happen if a clever hacker loads a malicious script from some different location and stole end user cookies or loaded undesirable content. That is why it is important for you to prevent cross site scripting attacks. Note: By default ASP.

NET 4. 5 throws an exception if potentially dangerous content is detected in the request. However, you may need to deviate from this default mechanism in certain cases. In certain legitimate cases it is perfectly acceptable for the user to submit markup.

For example, a web page where a blog owner enters the content of a blog post should accept HTML tags. In such cases you can skip the default checking performed by ASP. NET. You can either set request. Validation. Mode in web.

You need to ensure that strings are encoded properly at two distinct places as far as ASP. NET MVC applications are concerned: Views. Controllers or classes. In order to encode strings in views you can use the Html.

Encode() method as shown below: < %= Html. Encode(c. User. Comment) %> As you can see the view that displays the user comment now encodes the comment using the Html.

Encode() method; this way all of the special characters such as < , > and & are encoded properly. For example, once Encode() method is in place the same malicious input by the end user is encoded and then rendered on the page as shown below: HTML. Encode() method. As you can see the script is no longer executed even if the comment saved in the database contains the < script> tag. Instead the HTML markup is encoded and then displayed on the page. There is also a shortcut to using the Html. Encode(), you can use < %: and %> block instead of < %= and %>. The following code shows how: < %: c.

User. Comment %> The < %: and %> block HTML encodes the string and then emits on the page. The above code takes care of displaying content on the page by HTML encoding it. Here the encoding happens at the View level but the database still contains the malicious markup and script. Wouldn't it be nice if you HTML encode the content before saving it into the database? You can do so in your controllers or other classes using the Server. Html. Encode() method. User. Comment = Server.

Html. Encode(form. The database now stores the HTML encoded version of the comments rather than the raw version. If you need to decode the HTML encoded version back you can use Server. Html. Decode() method. In addition to the HTML output displayed on a web page, you may also consider encoding attributes and URLs. Encoding attribute values is important if you are dynamically changing them based on user input. For example, you might be accepting a user's website URL and then setting the href attribute of an anchor tag dynamically.

In such cases it is better to encode attribute values using the Html. Attribute. Encode() method. On the same lines you can encode URL values using the  Url. Encode() method. Using Anti. Xss. Encoder to Encode Strings.

The techniques to prevent cross site scripting attacks that we covered so far are traditional techniques that have roots in the core ASP. NET framework. In some cases where security is extremely important you may want to use an even more secure technique of encoding. Luckily, System. Web. Security. Anti. Xss namespace provides a class - Anti. Xss. Encoder - that can be used to encode HTML content and attribute values.

The major difference between the default encoder used by ASP. NET and the Anti. Xss. Encoder class is that the former uses a blacklist of a set of prohibited characters whereas the later uses a whitelist of a set of allowed characters making it more secure. The following code shows how Anti. Xss. Encoder class can be used in a controller: public Action. Result Save. Data(Form. Collection form).

You can override this default with the Anti. Xss. Encoder class by adding the following markup in the web. Runtime encoder. Type=. A common way to prevent such attacks is to encode data accepted from a user before displaying it on a web page. The Html. Encode() method and < %: %> code block allow you to do just that.

If you wish to encode data before saving it in the database you can use the Server. Html. Encode() method. A more secure form of encoder is available through the System.

Web. Security. Anti. Xss. Anti. Xss. Encoder class. Methods of the Anti. Download Game Monopoly Here And Now Board. Xss. Encoder class such as Html.

Encode() and Html. Attribute. Encode() allow you to encode raw strings. You can change the default encoder to Anti.

Xss. Encoder in the web. About the Author: Bipin Joshi is a blogger, author and an IT trainer who writes about apparently unrelated topics - Yoga & technology! Bipin has been programming since 1. NET framework ever since its inception. He has authored or co- authored half a dozen books and numerous articles on . NET technologies. He has also penned a few books on Yoga.

You can read more about him here.

Using Simple. Membership in ASP. Epson Aculaser C9100 Driver Windows Xp on this page. NET MVC 4. Features such as membership and role management have been a part of ASP.

NET core infrastructure since version 2. Developers have been using the default membership provider and role provider in their web applications. However, a common observation is that the default membership and role providers are quite rigid in terms of database schema and the way user information is stored. Luckily, Simple. Membership provides a helping hand in this area. It extends the core membership and role providers in such a way that you can use a custom database table to store user information.

This article gives you step by step instructions to configure and use the Simple. Membership in ASP. NET MVC projects.

Overview of Simple. Membership. Authentication and authorization are commonly needed features in any modern web application. ASP. NET 2. 0 introduced membership and role management through the provider model. Although the default membership and role providers work well in many situations, they are quite rigid in terms of database schema and the way they store user information in the database. For example, while using the default membership provider you don't have much control on the table in which user names (login names) are stored. This rigidity creates difficulties in situations where user login information needs to be stored in a table with custom schema or in situations where authentication is happening via some third party (OAuth based authentication for example).

Simple. Membership, introduced with Web. Matrix, tries to address these issues by offering a flexible model for authenticating the users. It relies on the core membership and roles provider of ASP. NET but wraps them in an easy to use and flexible way.

Have a look at the following figure that shows the inheritance hierarchy of Simple. Membership. The inheritance hierarchy of Simple. Membership. Web. Matrix. Web. Data assembly contains two important classes, viz.

Simple. Membership. Provider and Simple. Role. Provider. The Simple. Membership. Provider class inherits from the Extended.

Membership. Provider class that in turn inherits from the Membership. Provider class residing in the System. Web. Security namespace. The Simple. Role. Provider class inherits directly from the Role.

Provider class from the System. Web. Security namespace. Obviously, in order to use Simple. Membership you must refer to the Web.

Matrix. Web. Data assembly in your ASP. NET MVC 4 project. If you create a new ASP. NET MVC project using the Internet Application template then by default the project template uses Simple. Membership and already refers to the Web. Matrix. Web. Data assembly. The login system of this template is based on Simple.

Membership. However, in the remainder of this article you will not use this template for a couple of reasons. Firstly, you may want to create a blank web site that doesn't include Simple. Membership by default. Secondly, you may not want to use the default login system (Account. Controller) provided by the Internet Application template. In the later case it is important for you to understand how Simple. Membership works before you use it in your websites.

Creating a Database. For the sake of this example you will create a new SQL Server database named User. Db that stores user information. The following figure shows the Users table from the User. Db database: The Users table from the User.

Db database. As you can see, this is a custom table. Simple. Membership expects only two simple things from the table schema: It should have a column that acts as a unique user identifier (Id column in this case).

It should have a column that acts as a login name (User. Name in this case). The interesting thing is that you can give any name to the above two columns. For example in the above figure the column storing user identifier is named as Id but you could have named it as User. ID or Uid. Also, note that the Users table contains columns not used by Simple. Membership provider - Display. Name and Country.

These columns are custom application specific columns and it depends on you as to how you would like to use the information stored in them. Configuring an MVC Application to use Simple. Membership. In order to see how Simple.

Membership can be used, create a new ASP. NET MVC 4 web application using the Empty project template and ASPX view engine. New ASP. NET MVC 4 web application using the Empty project template and ASPX view engine. Then add a reference to Web. Matrix. Web. Data assembly using the . Merely adding a reference to Web. Matrix. Web. Data is not sufficient.

You also need to tell ASP. NET MVC to use this provider using the web. So, open the web.

Forms authentication for your web application: < authentication mode=. You will develop the Account controller in later sections. Further add the following markup that specifies the provider information: < membership default. Provider=. Also, ensure that enabled attribute of < role. Manager> is set to true to enable role management features.

Also, add a database connection string in the < connection. Strings> section that points to the User. Db database you created earlier.< connection. Strings>. < add name=. The Account. Controller class contains all the action methods related to user registration, logging in and logging out. The following code shows the Register() action method that creates a new user.

This method invokes the Initialize. Database. Connection() method of Web.

Security class. Web. Security is a helper class and resides in Web. Matrix. Web. Data namespace itself. The Initialize. Database. Connection() method does an important task. It initializes a database and ensures that certain tables needed by Simple.

Membership are available. The first parameter of the Initialize. Database. Connection() method is the database connection string name as stored in the web.

The second parameter is the table name that stores user information. The third parameter is the name of the user identifier column. The fourth parameter is the name of the column that stores user names. The auto. Create. Tables parameter controls whether the tables needed by Simple.

Membership are created automatically or not. When the above call to the Initialize. Database. Connection() method executes it creates the following tables in the User.

Db database: User. Db database. Notice all the tables that start with webpages. They are needed by Simple. Membership to store membership and role information. Also notice that the call to Initialize.

Database. Connection() method is wrapped inside an if statement that checks whether the database is already initialized or not. This is done using the Web. Security. Initialized property. Now let's discuss the second version of Register() action method. The second version is intended for POST requests and hence it accepts the Form. Collection parameter.

The Register view submits to this version of the Register() action method. Inside you use the Create.

User. And. Account() method of the Web. Security class. The Create. User. And. Account() method accepts User.

Name, Password and other pieces of information stored in the Users table. The properties of the anonymous object must match with the column names of the Users table. After successful registration the user is taken to the login page. The following figure shows the Register view: The Register view. Creating a Login Page. Now that you have completed the user registration page, let's develop the login page and associated action methods. The following code shows Login() action methods from the Account.

Controller. The second version of Login() action method is intended for POST requests. It gets called when the Login page is submitted by the end user. It accepts a parameter of type Form.

Collection. Inside, it calls the Login() method of Web. Security by passing a user name and password.