ASP.NET 1.1+ comes with a feature called Request Validation, preventing the server to accept content containing un-encoded HTML. This feature comes as a first protection layer against Cross-Site Scripting (XSS) attacks and act as a simple Web Application Firewall (WAF) rejecting requests potentially containing malicious content.
While this feature is not a silver bullet to prevent all XSS attacks, it helps to catch basic ones. It will for example prevent <script
type="text/javascript" src="https://malicious.domain/payload.js"> to reach your Controller.
Note: Request Validation feature being only available for ASP.NET, no Security Hotspot is raised on ASP.NET Core applications.
There is a risk if you answered yes to any of those questions.
At Controller level:
<ValidateInput(False)> Public Function Welcome(Name As String) As ActionResult ... End Function
At application level, configured in the Web.config file:
<configuration>
<system.web>
<pages validateRequest="false" />
...
<httpRuntime requestValidationMode="0.0" />
</system.web>
</configuration>
At Controller level:
<ValidateInput(True)> Public Function Welcome(Name As String) As ActionResult ... End Function
or
Public Function Welcome(Name As String) As ActionResult ... End Function
At application level, configured in the Web.config file:
<configuration>
<system.web>
<pages validateRequest="true" />
...
<httpRuntime requestValidationMode="4.5" />
</system.web>
</configuration>