public async Task <IActionResult> Post([FromBody] BlogPostRequest blogPostRequest) { var authorId = new Guid(HttpContext.User.FindFirst("authorId").Value); blogPostRequest.Title = _sanitizer.Sanitize(blogPostRequest.Title); // Post value: <div onload=alert('xss')>Title</div> blogPostRequest.Text = _sanitizer.Sanitize(blogPostRequest.Text); // Post value: <script type="text/javascript">alert('text')</script> var blogPost = blogPostRequest.CreateBlogPost(authorId); await _ctx.BlogPosts.AddAsync(blogPost); await _ctx.SaveChangesAsync(); var blogPostResponse = BlogPostResponse.FromBlogPost( _blogPostProtector.Protect(blogPost.Id.ToString()), blogPost, true ); return(CreatedAtAction(nameof(Get), new { id = _blogPostProtector.Protect(blogPost.Id.ToString()) }, blogPostResponse)); }
public IActionResult Get([FromRoute] string id) { Guid blogPostId = new Guid(_blogPostProtector.Unprotect(id)); var currentUserId = HttpContext.User.FindFirst("authorId")?.Value; BlogPost blogPost = _ctx.BlogPosts.Include(bp => bp.Author).SingleOrDefault(bp => bp.Id == blogPostId); if (blogPost == null) { return(NotFound()); } bool isCurrentUserAuthor = string.IsNullOrEmpty(currentUserId) ? false : new Guid(currentUserId).Equals(blogPost.AuthorId); return(Ok(BlogPostResponse.FromBlogPost( _blogPostProtector.Protect(blogPostId.ToString()), blogPost, new AuthorViewModel( _authorProtector.Protect(blogPost.Author.Id.ToString()), blogPost.Author.Name), isCurrentUserAuthor))); }