How to prevent XSS in Asp.NET
https://stackoverflow.com/questions/10507596
-
06-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What are the techniques that one can use to prevent cross site scripting in asp.net? Are there any non ready implementations that one can use to achieve a website protected against xss?
Solution
We did in-house development for this purpose for a long time, but finally Microsoft provided a library for it. We now replaced our library with this one completely. It can simply be used as follows:
string sanitizedString = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(string myStringToBeChecked);
The only problem with this method is that it trims multiple whitespaces that are separated with line ending characters. If you do not want that to happen, you may consider splitting the string first with respect to line ending characters (\r\n), then calculate the number of whitespaces before and after these splitted strings, apply sanitizer, append whitespaces back and concatenate.
Other than that, Microsoft library works fine.
OTHER TIPS
The microsoft anti cross site scripting library is a good start. It has some useful helper methods to prevent XSS. It is now part of the larger Microsoft Web Protection Library
To protect cross site scripting attack as following ways.
1. Use HtmlEncoding while saving the input content that is received from web application controls usch as textbox etc.
2. Use InnerText instead of InnerHtml while displaying data on the page.
3. Do the input sanitization before saving the data into database.
