Best practice for Prevent XSS hacking

Question

I am member of team with 25 developer.we use mvc.net application that security is a n important for us.we use @Html.AntiForgeryToken() and anything that related with security but We are concerned about Prevent XSS hacking. we encode every where but some places we need html from user. What is the best practice for Prevent XSS hacking?

Answer 1

The golden rule to prevent XSS is to HTML encode everything that you are outputting to a view.

Hopefully the @ Razor function already does that automatically for you.

So when you write one of the following you are pretty safe:

@Model.SomeProperty
@Html.DisplayFor(x => x.SomeProperty)

You should be careful with the @Html.Raw helper:

@Html.Raw(Model.SomeProperty)

If you use that the output will not be HTML encoded. This doesn't mean that your site is vulnerable to XSS injection. For example if you have total control of the property and is not coming from an user input you should be pretty safe.

If you are using the WebForms view engine then you should be more careful because the <%= function doesn't HTML encode the output.

So the following is not safe:

<%= Model.SomeProperty %>

You should use one of the following:

<%= Html.DisplayFor(x => x.SomeProperty) %>
<%: Model.SomeProperty %>

If on the other hand you need to output some user input without HTML encoding it I would recommend you using the AntiXSS library from Microsoft. It will filter out all dangerous tags from the input and you are safe to output it. For example it will remove the <script> tags from the input. There's also an article on MSDN about this library that you might checkout.