Html encode text fields in response against XSS attacks (Cross Site Scripting)

[ebicoglu]

Prevent client-side scripts to run in web browser.
Automatically encode HTML or escape chars in Ajax responses so that code in <script></script> tags cannot be evaluated. There maybe multiple targeted devices that's why encoding should be done only in web layer.
According to me, this should be done in the response not in the request because if a 3rd party is inserting an infected data to the database, ABP should encode those as well.

When you create a new role with the name : <script>alert(1)</script>
All the pages that return role name, evaluates this script. eg : https://localhost:44303/Identity/Users/CreateModal

https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery

[iyilm4z]

In this case, we have stored xss which means the record is in db anymore. As it's mentioned encoding output is a good option for stored xss case. However as you may guess we also should validate input before saving it into db. Imho abp needs more generic implementation for xss case, just encoding output is not enough.

Well, just off the top of my head, we could use an ActionFilter to encode each property.

[Cainor]

Hey guys, was this implemented in the framework? or should we implement it manually?

Thanks.