advanced web statistics

Prevent Cross-Site Scripting in ASP.NET

3/3/2006 12:50:40 PM

The following Microsoft article is a great resource for those of you wanting to protect your pages from cross-site scripting (XSS) attacks.

I thought that functions for cleaning data was sufficient enough.  Obviously I was wrong.

One fix that was overlooked is using HttpUtility.HtmlEncode to encode user-input strings into HTML strings for  HTTP transmission from the web server to the client (browser).

string Input = HttpUtility.HtmlEncode(tbInput.Text.ToString());

With HtmlEncode above, if a user submits a javascript alert as a comment to a blog entry (like this one) the < and > will get written as &lt; and &gt; instead.

Check out the comments for a working example.

Security

kick it on DotNetKicks.com

Leave a Comment

   

  Enter the text to proceed!