Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am member of team with 25 developer.we use mvc.net application that security is a n important for us.we use @Html.AntiForgeryToken() and anything that related with security but We are concerned about Prevent XSS hacking.
we encode every where but some places we need html from user.
What is the best practice for Prevent XSS hacking?
The golden rule to prevent XSS is to HTML encode everything that you are outputting to a view.
Hopefully the
@Razor function already does that automatically for you.So when you write one of the following you are pretty safe:
You should be careful with the
@Html.Rawhelper:If you use that the output will not be HTML encoded. This doesn’t mean that your site is vulnerable to XSS injection. For example if you have total control of the property and is not coming from an user input you should be pretty safe.
If you are using the WebForms view engine then you should be more careful because the
<%=function doesn’t HTML encode the output.So the following is not safe:
You should use one of the following:
If on the other hand you need to output some user input without HTML encoding it I would recommend you using the
AntiXSSlibrary from Microsoft. It will filter out all dangerous tags from the input and you are safe to output it. For example it will remove the<script>tags from the input. There’s also anarticle on MSDNabout this library that you might checkout.