Preventing XSS attacks to dynamically created DOM webpages and dynamically generated javascript event handlers
-
I have read the following article: https://msdn.microsoft.com/en-us/library/bb355989.aspx Now this article allows me to understand XSS vulnerability defense to a webpage that is statically made up of asp and html controls built on a webpage as in true markup layout fashion. I now understand that that control input should use not only server side in validation but input should validate length, range, format and type. The question I have is that I am trying to sanitize a website where the page layout controls are build on to the DOM object dynamically when the page loads. For example on the page load event methods add controls to the document object one at a time in the method that builds the entire webpage during that calling method. Also, control event handling is done by methods that send concatenated JavaScript strings, during page load, as output to the page that handle page control events. I guess my question is, how do I use asp.net validation controls, regex checking, etc. functionally when everything is built, the DOM and JavaScript event handling on the loading of the webpage? For example adding controls as in the following fashion:
private void CreateControls(ControlCollection cc) { if (RadScriptManager.GetCurrent(\_contextPage) == null) { RadScriptManager rsm = new RadScriptManager(); rsm.ID = "scriptManager"; cc.Add(rsm); }}