I'm perfoming penetration tests with Acunetix and the following query "api/venues?gameId=1'"()%26%25vAtC(9571)" is getting the following response:
{ "status": 400, "userMessage": [ "There are validation errors" ], "validationErrors": [ "The value '1'\\"()&%<acx><ScRiPt >NJMi(9780)</ScRiPt>' is not valid." ] }
This is detected by Acunetix as a posible XSS security issue and I would like to override the validation error message in order to avoid this in the whole application.
Model binder messages can be customized like this:
services.AddMvcCore().AddMvcOptions(options =>
{
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(s => "The provided value is invalid.");
});
Its worth adding that there are 3 other baked in binder errors, which display the value back, altogether:
options.ModelBindingMessageProvider.SetAttemptedValueIsInvalidAccessor((x, y) => $"The value is not valid for {y}.");
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(x => "The value is not valid.");
options.ModelBindingMessageProvider.SetValueIsInvalidAccessor(x => "The value is invalid.");
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(x => "The value is invalid.");
Best to check MSDN ModelBinding message providers, for what's currently available.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.