I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.

I did some research on the subject, but I didn’t find an answer to my problem. It’s the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven’t been into web design for about 2 years now, so I am very very rusty.

So for example, I have this form

<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
    <TR valign="top">
            <TR>
                <TD align="center">Input something here
                <input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
                </TD>
            </TR>
    </TR>
</TABLE>
</form>

If I manually input the URL (which contains this form) as

http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22

the page will load and then it will throw a javascript alert and display an error image.

My goal is to stop scripts from running when opening the page.
I read about Server.HTMLEncode but can’t find a way to use it to stop the script from running at page load.

Thanks in advance!

EDIT: Will I be able, at least partially, to work around it if I replace the input’s value with:
“<%= Server.HTMLEncode(Request(“input_something”))%>”

I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)