I have an MVC C# application working and all is good, however, I have just found something bad.
I have a form that allows input text. Of course, that input text is rendered using an HTML helper.
The corresponding model field is something like this:
[Required]
[StringLength(50, ErrorMessage = "El {0} debe tener como máximo {1} caracteres.")]
[Display(Name = "Nombre")]
public string Nombre { get; set; }
Well... as I said, it works, however, when I enter < in the form field, this error occus:
A potentially dangerous Request.Form value was detected from the client (Nombre="<Normal").
And the form is not actually submitted.
The question is: is there already a data annotation filter that allows me to strip dangerous characters automatically, before posting? If not, how can I create one? Should I add an annotation filter at class or property level? If at property level, I will need to go through all model classes adding the attribute to the string properties. Maybe I could create an action filter also, but I think this could be insecure if the site is actually being attacked.
What are your thoughts?
Thanks Jaime