Prevent Cross-Site Scripting in ASP.NET
3/3/2006 12:50:40 PM
The following Microsoft article is a great resource for those of you wanting to protect your pages from cross-site scripting (XSS) attacks.
I thought that functions for cleaning data was sufficient enough. Obviously I was wrong.
One fix that was overlooked is using HttpUtility.HtmlEncode to encode user-input strings into HTML strings for HTTP transmission from the web server to the client (browser).
string Input = HttpUtility.HtmlEncode(tbInput.Text.ToString());
With HtmlEncode above, if a user submits a javascript alert as a comment to a blog entry (like this one) the < and > will get written as < and > instead.
Check out the comments for a working example.
Security
