Interesting related videos

Loading...

Thursday, January 11, 2007

HttpUtility.HtmlEncode and Server. HtmlEncode do not prevent Cross Site Scripting

Do not use: HttpUtility.HtmlEncode or Server.HtmlEncode because this functions only encodes <>"& characters. This is not sufficient to protect against all possible attacks.
For instance, the following ASP.NET code would be vulnerable:



In order to be fully protected use the method: HtmlEncode of Microsoft Anti-Cross Site Scripting Library.

Tutorial that shows you how to use the Microsoft Anti-Cross Site Scripting Library:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx

Forum:
http://forums.asp.net/1107/ShowForum.aspx.

2 comments:

chinnubeta said...

Just a FYI thing: starting .net 4.0 release Server.HtmlEncode encodes Apostrophe as "'" . So this is not an issue.

I would still recommend using AntiXss for encoding , but posting it to highlight new information.

ping pong said...

What is the value of Request.QueryString["userId"] that will trigger the attack? Can you please provide an example?