Catching xss in asp.net core. Equivalent of A potentially dangerous Request.QueryString value was detected from the client.

asked 2022-06-09T16:10:05.053+00:00
ask 21 Reputation points

I am developing an app in asp.net core. Previous versions of .net would catch if I entered <script>[script]</script> and throw the A potentially dangerous Request.QueryString value was detected from the client. With asp.net core, I am not getting this error. Is there an equivalent in asp.net core to check for "illegal" characters for xss and sql injection?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
2,531 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
1,175 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2022-06-09T22:34:33.047+00:00
    Bruce (SqlWork.com) 27,941 Reputation points

    no. here is discussion of the issue:

    https://github.com/aspnet/BasicMiddleware/issues/64

    you should do proper server coding instead. no Html.Raw() and no string concat for sql values, use parameters..

    No comments

  2. answered 2022-06-10T06:11:31.71+00:00
    Brando Zhang-MSFT 1,916 Reputation points Microsoft Employee

    Hi @ask ,

    As Bruce said, we should do it by using server coding like this article said.

    Besides, for old bowser we could use X-XSS-Protection response header. More details, you could refer to this article.

    For morden browser, you could set the Content Security Policy header to enable the XSS protection checking. More details, you could refer to this article.

    No comments