Context Aware Model Encoding #49165
Unanswered
SerratedSharp
asked this question in
Q&A
Context Aware Model Encoding
#49165
Replies: 1 comment
-
|
I'm still curious about this. I saw a code example where someone was doing this:
Is this necessary? Or does razor parser have some knowledge of context and do the correct encoding for attributes? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I recently read the OWASP XSS Prevention Cheat Sheet, and noticed that what encoding is performed is conditional on the context. Sanitizing user content for a DOM element requires different encoding than if it were inserted into an attribute. Sometimes you must javascript escape then HTML escape user content (which are different types of sanitization) for certain contexts to properly sanitize it: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
This isn't too surprising but I didn't consider it before.
Since CSHTML has knowledge of the HTML structure, and it is automatically encoding Model references, is it doing context aware encoding? I.e. does it recognize when you have a Model. reference inside a DOM attribute and does the additional encoding?
Beta Was this translation helpful? Give feedback.
All reactions