Interesting related videos


Thursday, January 11, 2007

HttpUtility.HtmlEncode and Server. HtmlEncode do not prevent Cross Site Scripting

Do not use: HttpUtility.HtmlEncode or Server.HtmlEncode because this functions only encodes <>"& characters. This is not sufficient to protect against all possible attacks.
For instance, the following ASP.NET code would be vulnerable:

In order to be fully protected use the method: HtmlEncode of Microsoft Anti-Cross Site Scripting Library.

Tutorial that shows you how to use the Microsoft Anti-Cross Site Scripting Library:



chinnubeta said...

Just a FYI thing: starting .net 4.0 release Server.HtmlEncode encodes Apostrophe as "'" . So this is not an issue.

I would still recommend using AntiXss for encoding , but posting it to highlight new information.

ping pong said...

What is the value of Request.QueryString["userId"] that will trigger the attack? Can you please provide an example?