public async Task <IActionResult> Post([FromBody] BlogPostRequest blogPostRequest)
{
var authorId = new Guid(HttpContext.User.FindFirst("authorId").Value);
blogPostRequest.Title = _sanitizer.Sanitize(blogPostRequest.Title); // Post value: <div onload=alert('xss')>Title</div>
blogPostRequest.Text = _sanitizer.Sanitize(blogPostRequest.Text); // Post value: <script type="text/javascript">alert('text')</script>
var blogPost = blogPostRequest.CreateBlogPost(authorId);
await _ctx.BlogPosts.AddAsync(blogPost);
await _ctx.SaveChangesAsync();
var blogPostResponse = BlogPostResponse.FromBlogPost(
_blogPostProtector.Protect(blogPost.Id.ToString()),
blogPost,
true
);
return(CreatedAtAction(nameof(Get), new { id = _blogPostProtector.Protect(blogPost.Id.ToString()) }, blogPostResponse));
}
