@model WebApplication.Models.DefaultModel
@{
var ko = new KnockoutContext<WebApplication.Models.DefaultModel>(ViewContext);
}
<form>
@ko.Html.TextBox(m => m.Foo)
@ko.Html.Span(m => m.Foo)
<button type="submit">Send</button>
</form>
@ko.Apply(Model)
model:
public class DefaultModel
{
public string Foo { get; set; }
}
action:
[ValidateInput(false)] // turn off XSS protection in ASP.NET
public ActionResult Index(Models.DefaultModel model)
{
Response.AddHeader("X-XSS-Protection", "0"); // turn off XSS protection in browser
return View(model ?? new Models.DefaultModel());
}
Steps to reproduce:
Type </script><script>alert('XSS');</script><script> into textbox
Example form to reproduce:
model:
action:
Steps to reproduce:
</script><script>alert('XSS');</script><script>
into textboxVulnerable line: https://github.com/AndreyAkinshin/knockout-mvc/blob/959da9986fdff0553dcb0f4731a1d13047ca2f7b/PerpetuumSoft.Knockout/KnockoutContext.cs#L61
Possible solution:
Workaround: