Morning/Afternoon/Evening all,
I'm pretty new to working within model binders and creating a custom model binder, so some things wont be clear to me.
I'm attempting to create a custom model binder in order to validate/review each string property returned in a class from a web api call, to prevent any XSS attack attempts. I've implemented what i think should be a working solution, but i'm unsure whether or not i've missed out a step or have tried something that isn't workable.
My custom model binder looks like below, i've removed the xss validation stuff as there's no problem with that code.
public class CustomModelBinder : DefaultModelBinder
{
protected override void BindProperty(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor)
{
if (propertyDescriptor.PropertyType == typeof(string))
{
var stringValue = bindingContext.ValueProvider.GetValue(propertyDescriptor.Name).ToString();
// Do the validation/string check work,
if (isXSSAttempt)
{
bindingContext.ModelState.AddModelError(propertyDescriptor.Name, "Invalid input.");
return;
}
}
base.BindProperty(controllerContext, bindingContext, propertyDescriptor);
}
}
Inside my global.asax i've set the default binder as follows:
ModelBinders.Binders.DefaultBinder = new CustomModelBinder();
Have i missed out a step in setting up this custom model binder?
I've ran tests to check that the xss validation work is hit, but the http POST calls to the endpoint do not reject the call, and continue as normal. Not sure if it's possible, but i've tried putting breakpoints, but they are never hit. I know the XSS stuff works as i've created a custom attribute, but i'm investigating this method to avoid having to place a custom attribute on every property in every class/model needed in a web api call.
Any pointers or missed steps that you can point out would be welcome.
Cheers