According to Microsoft, starting with .NET 4.0, AntiXSS is included in the structure and is enabled by default. this is true for MVC, but when it comes to Web Api, there is no right solution.
for example, I have this very simple API stream:
public class MessageViewModel
{
public int TargetID { get; set; }
public string Content { get; set; }
}
and Api controller:
public class MessagesController : ApiController
{
[HttpPost]
public MessageResponse SendMessage(MessageViewModel model)
{
MessageResponse response = null;
if (ModelState.IsValid)
{
response = _logic.SendMessage(model);
}
return response;
}
}
this Content property of the MessageViewModel may contain malicious scripts / code that will later be sent to other users.
Is there a way to enable AntiXSS in Web Api in the same way that it works for MVC? and if not, what appropriate solution exists to protect the entire application from XSS without using attributes for each particular presentation model?