Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In asp.net is the PagesSection.ValidateRequest method enough to prevent all XSS attacks or is there something more that needs to be done?
Can anyone point me to a more thorough resource on this topic specifically for asp.net as Google mainly returns MSDN articles and I’d like to verify that we’re doing enough.
AntiXSS Library
The Microsoft AntiXSS library is a good solution for ASP.Net. It uses a whitelist (versus blacklist) approach and seems to be regularly updated by Microsoft.
Latest download (as of this post): http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28589
AntiXSS supports both text and HTML-style validation. The HTML validation does permit content that might be undesirable (such as images in another domain).
It requires that you run each of your input values through the library which will result in additional (albeit simple) code.
Benefits
Manually validating each input ensures that you are not assuming security is just “handled” by ASP.Net request validation. It also gives you the flexibility to disable request validation if needed (there are legitimate cases for questionable characters in a request). Because you are validating the input explicitly with the AntiXSS library, you can allow characters/markup in the request.
General XSS Info
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet