Is XSS an issue with ASP.NET MVC2 and HTML textboxes?

I have an intranet website built using ASP.NET using both the MVC framework version 2.0 and Entity framework.

One of the bits of data I am interested in is Notes. It is stored in a database as type text. It is saved and loaded using Entity framework. It is only displayed on the web in text box inputs. The data is not used on the server at all.

So the question is whether this poses an XSS hazard if I turn off the validation on the server. And do I need to worry about encoding Notes before putting it into a text box input.

COMMENTS 1

I am only using .NET 3.5. I'm praying that this will be updated in the future once I get out of Visual Studio 2008 ;)

The following is how I am putting notes onto a webpage.

<%= Html.TextArea("Notes", null, new { rows = "10", style = "width:100%" }) %>

The above is the only way Notes is being put onto a webpage. On the server, I am doing something like(I left out 开发者_高级运维where statement):

var myStruct = (from u in myDB.dbSomeStruct
                select u).FirstOrDefault();
myStruct.Notes = Notes;
myDB.SaveChanges();

XSS really comes down to encoding output i.e. what you send out from the server onto the page.

Putting other types of injection attacks aside for the moment (e.g. SQL injection), a user can send to you any maliciously crafted input. Now, I wouldn't recommend storing that input in encoded form as you may want to do other things with it (like put it in another medium other than the web). But, when you send that input back as a response to a web request, make sure you encode it. It could be that the only user who can see the input in a response is the original user who supplied the input in the first place in which case, you may consider that encoding it is not necessary. I would recommend encoding it anyway as a standard approach as you never know when the application functionality may change and other users can now see that input and then all of a sudden, you have a potential XSS exploit!

So the above deals with input coming from your system. The same goes for input coming from any other system; always encode it. Data from any other source other than what you have explicitly created yourself cannot be trusted. I find thinking from this standpoint a good start to mitigating XSS.

If you're using MVC 2 on .NET 4 then using <%: Data %> will HTML encode Data using the default encoder. If you're not using .NET 4 then you'll need to use <%= Html.Encode(Data) %>.