Reputation: 35853
ASP.NET: Looking for solution to solve XSS
We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web.
I wonder if there is any mechanism like HTTPModule to help us HtmlEncode() all the items in a Http request to avoid XSS to some extent.
Appreciate for any suggestion.
Rgds, Ricky
Upvotes: 0
Views: 786
Answers (2)
Reputation: 1154
Like bobince said, this is an output problem, not an input problem. If you can isolate where this data is being output on the page, you could create a Filter and add it to the Response object. This filter would isolate the areas that are common output and then HtmlEncode them.
Upvotes: 0
Reputation: 536379
The problem is not retrieving Request data without HTML-encoding. In fact that's perfectly correct. You should not encode any text until the final output stage when you spit it into an HTML page.
Trying to blanket-encode incoming parameters, whether that's HTML-encoding or SQL-encoding, is totally the wrong thing. It may hide XSS holes in your app but it does not fix them. You will still have a hole if you output content that hasn't come from parameters, or has been processed since then. Meanwhile the automatic encoding will fill your database with multiply-escaped & crud.
You need to fix the output stage, that's where the problem lies.
Upvotes: 1
Related Questions
- Anti XSS and Classic ASP
- How to prevent XSS attack from the ASP
- MVC c# prevent xss
- How can I prevent XSS attack in Asp.net Webforms?
- How to prevent XSS in Asp.NET
- How to solve Reflected Cross-Site Scripting (XSS) Vulnerabilities in HTML/aspx site
- How do you avoid XSS vulnerabilities in ASP.Net (MVC)?
- What is a good way to prevent websites from xss attacks
- sanitizing xss in asp.net mvc
- asp.net sanitizing user input