Catching xss in asp.net core. Equivalent of A potentially dangerous Request.QueryString value was detected from the client.

ask 21 Reputation points
2022-06-09T16:10:05.053+00:00

I am developing an app in asp.net core. Previous versions of .net would catch if I entered <script>[script]</script> and throw the A potentially dangerous Request.QueryString value was detected from the client. With asp.net core, I am not getting this error. Is there an equivalent in asp.net core to check for "illegal" characters for xss and sql injection?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,133 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,240 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 54,711 Reputation points
    2022-06-09T22:34:33.047+00:00

    no. here is discussion of the issue:

    https://github.com/aspnet/BasicMiddleware/issues/64

    you should do proper server coding instead. no Html.Raw() and no string concat for sql values, use parameters..

    0 comments
  2. Brando Zhang-MSFT 2,796 Reputation points Microsoft Vendor
    2022-06-10T06:11:31.71+00:00

    Hi @ask ,

    As Bruce said, we should do it by using server coding like this article said.

    Besides, for old bowser we could use X-XSS-Protection response header. More details, you could refer to this article.

    For morden browser, you could set the Content Security Policy header to enable the XSS protection checking. More details, you could refer to this article.

    0 comments