There is a potential problem in that the web API project could be receiving untrusted input from a HTML5 and JavaScript client. If that input gets persisted, or displayed elsewhere, and then displayed later you could have persistant XSS on your hands.
The solution is fairly simple though believe it or not.
1) Nuget packages can be installed for use with the Web API project's models
<package id="ASPNetWebAPIAntiXss" version="1.0.0" targetFramework="net45" />
<package id="
2) An attribute can be added to the models for the first package above (uses the AntiXssEncoder under the covers)
Add this to models:
[AntiXss]
3) Next you need to secure data coming in via query string or posts other than models (query string data example here)
For Web.config:
<httpRuntime encoderType="System.Web.
==================
For WebApiConfig.cs (in Register)
RequestValidator.Create<
.MapPropertyName(x => x.Property)
.FlattenErrorMessages()
.Map(x => x.Message).ToErrorMessage()
.Init(config);
==================
Then create a class that extends ActionFilterAttribute and in OnActionExecuting add the following
// Check query string data for XSS using Microsoft's AntiXssEncoder
var queryStringDataForRequest = actionContext.Request.
if (QueryDataContainsXss(
{
var response = actionContext.Request.
new HttpResponseException(new HttpResponseMessage()));
actionContext.Response = response;
}
It's up to you to define QueryDataContainsXss(). The simplest, and perhaps safest implementation is to compare the input to encoded input using the AntiXssEncoder with default settings. If you find that they are not equal then break and return false.
Then you can add the attribute to the controllers.
Add this to controllers:
[AntiXssActionFilter]
It's a good idea to add tests for your implementation too. RestSharp is an easy way to add REST client abilities to your tests. I hope that this is helpful to others. Cheers.
Kristian
