WebApi does not protect automatically for XSS, this library is an attempt to make responses to a consuming client safer. Note that it uses the terminology of safer
and not safe
. Please consider this as only one-layer of protection. You should present a malicious user with several layers of defense.
When it comes to XSS protection, two thoughts should come to your mind:
- Sanitizing input
- Encoding sensitive characters on the out-stream
This simple library helps accomplish the latter. I have been working on some Regex data annotations that are not quite ready for prime time.
//given a string like this that might make it into your system, this library will encode it like so with an simple extension method:
var unsafeString = "<script>alert('hello');</script><a href='#' onClick='javascript:void();'>Foo</a>";
var betterString = unsafeString.ToSaferString(); //<script>alert('hello');</script><a href='#' onClick='javascript:void();'>Foo</a>
That may not be an amazing feat of coding but typically you have a service return an object with nested properties.
The next extension method will look through an object and sanitize output:
var someObject = _someService.GetStuff();
...
return Ok(someObject.ToSaferObject());
.ToSaferObject()
uses reflection to iterate objects. Reflection is unable to easily iterate an indexed property (e.g. a Dictionary<>
). If you are using indexed properties, you will have to handle the iteration of those objects your self and apply .ToSaferString()
yourself.
MVC/Razor provide some XSS protections but you won't find them in naked WebApi. Again this is just a layer of defense, please sanitize input as well.
##Future
I want to provide a more semantic collection of data validation attributes for checking ModelState
. I have several being used in the wild but want to see how they shake out first.
For example:
[ZipCode]
[PhoneNumber]
[Address]
[ProperNoun]
[Url]
[AlphaNumeric]
[Numbers]
[EmailAddress]
Some of these already exist in the common libs but I want to create a more definitive list.