Home>
I want to achieve

I'm having trouble with XSS countermeasures for json post in C #, ASP.NET Core MVC (.NET 5 or .NET Core 3.1).

For example, for the data directly input to the javascript grid, about 200 to 300 records will be posted from javascript with json.
(On the server side, add data to the DB or update those with data changes)

Previously, when using ASP.NET MVC 5, at json post, as in the following article,
I added the [ValidationJsonXss] attribute on the Controller side and used it.

XSS validation from MVC action from JSON ajax post
https://stackoverrun.com/ja/q/12580451

using System;
using System.IO;
using System.Web;
using System.Web.Mvc;
using System.Web.Util;
namespace WebApplication.Common {
    public class ValidateJsonXssAttribute: ActionFilterAttribute {
        public override void OnActionExecuting (ActionExecutingContext filterContext) {
            var request = filterContext.HttpContext.Request;
            if (request! = null&&"application/json;charset = UTF-8".Equals (request.ContentType, StringComparison.OrdinalIgnoreCase)) {
                if (request.ContentLength>0&&request.Form.Count == 0) {
                    // InputStream has already been read once from "ProcessRequest"
                    if (request.InputStream.Position>0) {
                        request.InputStream.Position = 0;
                    }
                    using (var reader = new StreamReader (request.InputStream)) {
                        // Get posted JSON content
                        var postedContent = reader.ReadToEnd ();
                        // Invoke XSS validation
                        int failureIndex;
                        var isValid = RequestValidator.Current.InvokeIsValidRequestString (
                            HttpContext.Current, postedContent, RequestValidationSource.Form, "postedJson", out failureIndex
                        );
                        // Not valid, so throw request validation exception
                        if (! isValid) {
                            throw new HttpRequestValidationException ("Potentially unsafe input detected");
                        }
                    }
                }
            }
        }
    }
}

This is the main subject

1) I would like to replace the above method for ASP.Net Core MVC or change to a new source,
I'm having a hard time finding the best way to search for English articles.

2) If there is any other best method, please teach me.

Thank you.

Referenced articles

· Prevent cross-site scripting (XSS) in ASP.NET Core
https://docs.microsoft.com/ja-jp/aspnet/core/security/cross-site-scripting?view=aspnetcore-5.0

-HttpUtility.HtmlEncode method
https://docs.microsoft.com/ja-jp/dotnet/api/system.web.httputility.htmlencode?view=net-5.0

・ XSS validation from MVC action from JSON ajax post
https://stackoverrun.com/ja/q/12580451

· XSS Prevention .NET Core 2.x and above
https://stackoverflow.com/questions/59770235/xss-prevention-net-core-2-x-and-above

Supplementary information (FW/tool version, etc.)

.NET 5 or .NET Core 3.1
C #, ASP.NET Core MVC
Visual Studio 2019 Professional

  • Answer # 1

    I think Core 3.1 has the same functionality as the InvokeIsValidRequestString method used in the action filter, but it seems unfortunate as far as I've found it.

    When I type

  • Answer # 2

    Corrected mistakes in the reply column.