Home/ Questions/Q 293717
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T06:18:04+00:00

Personally, I try and write secure ASP.NET code. However, I have become quite paranoid

  • 0

Personally, I try and write secure ASP.NET code. However, I have become quite paranoid about the code I write, as I used to work for a Registrar (high fraud targets). Are there any ASP.NET functions I should look at with extreme scrutiny (other than SQL access – I know enough not to do dynamic SQL).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is an excellent MSDN article: Security Practices: ASP.NET 2.0 Security Practices at a Glance.

    Excerpt:

    How to prevent cross site scripting

    Validate input and encode output.
    Constrain input by validating it for
    type, length, format, and range. Use
    the HttpUtility.HtmlEncode method to
    encode output if it contains input
    from the user, such as input from form
    fields, query strings, and cookies or
    from other sources, such as databases.
    Never just echo input back to the user
    without validating and/or encoding the
    data. The following example shows how
    to encode a form field. 

    Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

    If you return URL strings that contain
    input to the client, use the
    HttpUtility.UrlEncode method to encode
    these URL strings, as shown here. 

    Response.Write(HttpUtility.UrlEncode(urlString));

    If you have pages that need to accept
    a range of HTML elements, such as
    through some kind of rich text input
    field, you must disable ASP.NET
    request validation for the page.

    Turn On Custom Errors To Keep Errors Private

    <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
    • 0