Adding Cross Site Scripting protection in EPiServer CMS with .NET 4.0

Request validation is a feature in ASP.NET that examines an HTTP request and determines whether it contains potentially dangerous content and helps prevent attacks like Cross Site Scripting (XSS). 

The feature was also included in earlier versions of ASP.NET, where it was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

ASP.NET 4 request validation on the other hand is by default enabled for all requests because it is initiated before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx pages.

To activate the .NET 4.0 request validation feature, open web.config, find the httpRuntime node and set requestValidationMode="4.0". This will globally enable request validation for all resources on your site.

<system.web>
<httpRuntime requestValidationMode="4.0" />
...
</system.web>

After activating this, your site would show a very harsh Yellow-Screen-Of-Death if you tried to post data containing "dangerous" input, e.g. <script>alert(‘XSS attack’)</script>. To prevent this, you would normally sanitize any user input before processing it (I hope), which of course is all good. 

So why aren't all EPiServer sites using request validation?

If you try to add this feature to your solution you will quickly discover that EPiServer and request validation 4.0 aren’t exactly friends. Why? Because every time you try to post data containing HTML (e.g. editing an XHTML property in EPiServer using the TinyMCE editor), you’re posting "dangerous" data (or at least that’s what the request validator thinks). Of course this also applies to creating new pages as well. So what do we do?

One approach could be to revert to request validation 2.0 for EPiServer specific areas only. This can easily be done by adding <httpRuntime requestValidationMode="2.0"> to the EPiServer Edit and Admin section in web.config. However, this would not work for On-Page-Editing. We need to add a more flexible layer of security, and now there's an EPiServer plugin for it. 

Introducing the Epinova.RequestValidator plugin

This plugin is basically a layer between the request and Microsoft’s own request validator, and enables you to define your own set of rules:

• Specify if you always should trust data from edit, admin and DOPE (default="true")
• Specify if the user should be redirected to a custom page instead of the standard YSoD
• Disable/Enable each specific request type
• Validate specific request types using a whitelist of valid HTML elements through a RegEx expression

This plugin is of course best introduced as early in the project as possible. If you want to apply a whitelist of valid inputs it is very important that you test with real data from day one!

Installing and configuring the plugin

1. Download the Epinova.RequestValidator.dll (the plugin is free).
2. Reference the DLL in your project.
3. Add the requestValidationType attribute in your web.config:

<system.web>
<httpRuntime requestValidationMode="4.0" requestValidationType="Epinova.RequestValidator.CustomRequestValidator" />
...
</system.web>

You’ve now enabled an EPiServer-friendly request validator.

Whitelist definitions for valid input are located in admin mode under the "Config" tab -> "Plug-In Manager" -> "Epinova.RequestValidator":

E.g. to allow XML input to be posted in your querysting you can add the RegEx expression "<?xml" in the QueryString field.

The code for RegEx matching whitelist elements looks like this:

var regEx = new Regex(expression, RegexOptions.IgnoreCase);
return regEx.IsMatch(value);

This plugin was developed for CMS 6 but should work for CMS 7 as well.