I have an ASP.NET MVC 3 application in which I want to set
requestValidationMode="4.0"
and all areas of the website were a normal user has access have
ValidateInput(true)
SoI basically html encode all user input and save it encoded in the database. (The site is not meant to work without javascript)
My question is
How should I treat the signup, log in and change password functionality ?
Obviously I want to allow the user to insert whichever password he/she wants so,
Is it ok if for the password field I do html encode on the client and then html decode on the server, before saving the password in the database ?
Thank you
Given that passwords aren't ever likely to be displayed in cleartext (or even stored), XSS shouldn't be a concern for passwords.
You can decorate the password property(ies) of your (view) model with
[AllowHtml]
I can't think of a reason why the password would need to be echoed back to the client from the server, so the Html sanitization step shouldn't be necessary? (Do password rules validation on the client)
Troy Hunt discusses this here.