Prevent Cross-Site Scripting
-
Acutually I want to prevent cross-site scripting in asp.net forums. If I want to protect from user input data when user (lamer) enter script in the textbox in asp.net forms. If I get to textbox string and convert the <, >, & symbol to HTMLEncoding in the string. Is this process enough for prevent cross-site scripting? Best Regards...
-
Acutually I want to prevent cross-site scripting in asp.net forums. If I want to protect from user input data when user (lamer) enter script in the textbox in asp.net forms. If I get to textbox string and convert the <, >, & symbol to HTMLEncoding in the string. Is this process enough for prevent cross-site scripting? Best Regards...
Yes. But you ought to process HTML on the way out as it's getting displayed on screen rather than store it in the database in HTML encoded format. This ensures the database stores the data in a platform neutral format, also because some ASP.NET controls perform their own HTML encoding (such as the ToolTip property, or Text property for TextBox controls), and you'll end up encoding the encoding and the user will see < on the screen instead of < Use Server.HtmlEncode(outputString), but don't do this for control properties that already do their own encoding for above reason.
Dominic Pettifer Blog: www.dominicpettifer.co.uk