XSS in angularjs app and web api 2

Question

I have a web application. I am using Angularjs and Web Api2.

I have a simple form where user can insert some free text that will be send via email to other people. The text is also saved on db and later can be shown in a web site page. I knew I didn't need to check the input of the user, because in web api, the text is automatically encoded. So I expected that if user, for example, type

<script type="..">...</script>

I receive server side, in my web api controller, something like this:

<script type="..">...</script>

I receive instead

<script type="..">...</script>

nothing changed.

How can I encode my input to be sure that the application do not receive XSS attack? Should I leave the input unchanged but change the value when I put it in the email? And when I save it in my database? It should saved in the form

<script type="..">...</script>

and then encoded when I show it in the page?

In this moment I just added this in my web.config

<httpRuntime ... encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

But nothing seems to be changed.

Thank you

Answer 1

You have multiple possibilities, you can encode the string data you received (https://github.com/mathiasbynens/he) before saving them into the DB, in this manner you don't need to do almost nothing displaying them, because they will displayed as a string like this <script type="..">...</script> for example.

But if you still want to accept some html tags like <p>, <strong>, etc... you should save the input without encoding it and using a sanitizer to display them: https://docs.angularjs.org/api/ng/directive/ngBindHtml