Do not use: HttpUtility.HtmlEncode or Server.HtmlEncode because this functions only encodes <>"& characters. This is not sufficient to protect against all possible attacks.
For instance, the following ASP.NET code would be vulnerable:
In order to be fully protected use the method: HtmlEncode of Microsoft Anti-Cross Site Scripting Library.
Tutorial that shows you how to use the Microsoft Anti-Cross Site Scripting Library:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx
Forum:
http://forums.asp.net/1107/ShowForum.aspx.
Subscribe to:
Post Comments (Atom)
2 comments:
Just a FYI thing: starting .net 4.0 release Server.HtmlEncode encodes Apostrophe as "'" . So this is not an issue.
I would still recommend using AntiXss for encoding , but posting it to highlight new information.
What is the value of Request.QueryString["userId"] that will trigger the attack? Can you please provide an example?
Post a Comment