Cross site scripting manipulation globally
https://stackoverflow.com/questions/11457935
-
20-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In our application we have a class called GlobalPage.cs this page inherits from Page we have Page load overrides and other there. It was called to our attention we need to add some security to our pages that contain textboxes (some are asp textboxes and others are html inputs). What we want to do is to be able to check all those fields globally from one place and not do it individually on each page. How can we achieve thi, possibly using the GlobalPage.cs ?
I would appreciate any input or help on what can be done.
Solution
There is already some built in protection from malicious input. Make sure you did not turn it off.
<pages validateRequest="true"...>
Incoming values by themselves are not a problem for XSS. It is rendering of non-escaped values that causes problems. So while sanitizing input is somewhat useful there is no replacement for correct encoding of output.
Consider reading existing information on XSS protection in ASP.Net like How To: Protect From Injection Attacks in ASP.NET (2.0, note that there are changes in 4.0 - ASP.NET Request Validation).
