Sunday, February 13, 2011

Is BindingHelperExtensions.updatefrom / Controller.UpdateModel insecure?

I've been reading about UpdateFrom, used to update a business object from the request. Is it massively susceptible to XSS code and extra form parameters being posted?

  • UpdateFrom was removed in one of the older MVC previews. The replacement is Controller.UpdateModel.

    With regards to security, one of the following should be true:

    1. Your type (the type of the object you pass to UpdateModel) has no fields that the user cannot update, or
    2. You pass a list of keys representing the property names that the user can update to UpdateModel, using the supplied overload.

    If one of these is true, then there is no special security risk from using UpdateModel. All other security best practices, of course, still apply.

0 comments:

Post a Comment