0

I need to add some Xss protection in an application MVC views, that are currently using Json.Net and Javascript Widgets. The ViewModels are extremely big and complex, so i can't use the Microsoft AntiXss library to javascriptEncode properties, so i need to do this in the View.

dataBindings: new
               {
                 inputs = new
                    {
                       widgetType = "textbox",
                       value = new JRaw("myPropertyName")
                     }
                 }

The Javascript widget controls currently consume json data in the form of JRaw objects. I would like to create a wrapper around the JRaw object, either in form of subclass or utility method to javascript encode string properties before sending to the control to bind. 

public static JRaw JRawEncode(JRaw rawObj)
    {

        if (rawObj != null && rawObj.Value.GetType() == typeof (String))
        {
               //Microsoft.Security.Application.Encoder.JavaScriptEncode(rawValue);

        }

        return rawObj;
    }

Is this possible to do on the JRaw object or am i way off? Is there another way to do this with Json.NET? I am new to Json.Net and Xss encoding here, so be gentle please.

mflair2000
  • 315
  • 3
  • 13

1 Answers1

0

Ok, Let's try to be gentle :) The commented code that you have in your view is supposed to work. I dont know why it is commented. 

//Microsoft.Security.Application.Encoder.JavaScriptEncode(rawValue);

The JavaScriptEncode method takes string as a first parameter. https://wpl.codeplex.com/SourceControl/latest#trunk/Microsoft.Security.Application.Encoder/Encoder.cs

In your code, you are also checking if the JRaw object is a type of String. I don't know how helpful JRaw.ToString method would be, because it returns JValue instance.

As long as you pass a string, and expect it to be JavaScript encoded, then Microsoft.Security.Application.Encoder.JavaScriptEncode would work for you.

gmaran23
  • 2,118
  • 2
  • 17
  • 18