I wanted to prevent script injections using model binders, which I did using model binders but is there any way to add errors to Model instead of encoding the value, I want to display error message without sanitizing the script.
I am using .net core 3.x MVC. Below is my sample HtmlEncodeModelBinder I used
public class HtmlEncodeModelBinder : IModelBinder {
private readonly IModelBinder _fallbackBinder;
public HtmlEncodeModelBinder(IModelBinder fallbackBinder) {
if (fallbackBinder == null)
throw new ArgumentNullException(nameof(fallbackBinder));
_fallbackBinder = fallbackBinder;
}
public Task BindModelAsync(ModelBindingContext bindingContext) {
if (bindingContext == null)
throw new ArgumentNullException(nameof(bindingContext));
var valueProviderResult = bindingContext.ValueProvider.GetValue(bindingContext.ModelName);
if (valueProviderResult == ValueProviderResult.None) {
return _fallbackBinder.BindModelAsync(bindingContext);
}
var valueAsString = valueProviderResult.FirstValue;
if (string.IsNullOrEmpty(valueAsString)) {
return _fallbackBinder.BindModelAsync(bindingContext);
}
var result = HtmlEncoder.Default.Encode(valueAsString);//wanted to add modal error instead of htmlencode if any script tags
bindingContext.Result = ModelBindingResult.Success(result);
return Task.CompletedTask;
}
}Help is much appreciated.
Thanks,