How to prevent code injection windows server 2008 R2 .aspx

Question

I look after a site that needs to comply with PCI guidelines. After a lot of work sometime ago it finally passed the PCI security check. Recently it's started failing again. I suspect this is because of new tests added to the security check.

What the check is complaining about now is the possibility of code injection into the site. This is an example of one of the things it's on about:

http://www.monorep.co.uk/vauxhall/new-vans/?DealergroupId=<aavxhv%20>

If you look in the source code using Firebug you'll see it's done this to my code:

<input name="DealergroupId" type="hidden" value="<aavxhv >">

Ok. Not harmful in itself, but I can see what they are getting at.

There are other very simular examples they supply, but they are all alone the same sort of lines.

How can you actually protect against this sort of thing? And, is it harmful?

Thanks in advance.

Answer 1

You must Encode all the rendered text on the html page with

HttpContext.Current.Server.HtmlEncode()

All the rendered text that come from database, from user input, or from other sources.

eg, your code will looks like

<input name="DealergroupId" type="hidden" value="<%=Server.HtmlEncode(cParametrFromUrl)%>">