Appframe Knowledge Base

1 hits

Security considerations when using @QueryString in razor

<ul> <li>@QueryString.RawValue() gives UNESCAPED querystring parameters and opens for possible XSS! <li>When using the RawValue accessor, always check using a regular expression! <li>Should always be escaped when used in Razor: @HtmlEncode(@QueryString.RawValue("x")) → <li>Best practice: Use "verifying" accessors <li>Integer: @QueryString.IntValue("parameter") - Digits <li>Decimals: @QueryString.DecimalValue("parameter") - Digits followed by optional period and more digits <li>Alphanumeric: @QueryString.Alphanumeric("parameter") - A-Z, a-z and 0-9 <li>List: @QueryString.List("parameter") - Alphanumeric characters and comma <li>Best practice: The verifying accessors throw exceptions upon invalid values, so use checks described above before using them </ul>

razor web · Perma link post comment Posted by: Peter Øren (23-aug-2013)