Raven13
Reputation: 123
XSS mitigation in HTML/VBScript/Classic ASP
I'm faced with the following hypothetical XSS vulnerability in my web code:
original code: <INPUT TYPE=HIDDEN NAME='acctno' VALUE='" &Session("acctno")& "'>
hacked code: <INPUT TYPE=HIDDEN NAME='acctno' VALUE='12345'/><script>alert(98765)</script>
Can I mitigate this simply by adding HTMLEncode to the session variable in the value field?
Thanks.
Upvotes: 0
Views: 1070
Answers (1)
SLaks
Reputation: 887459
Exactly. You need to HTML encode all text that gets inserted into the HTML.
You also need to Javascript-encode any text that gets inserted into Javascript code, and you need to URL-encode any text that gets inserted into URLs.
Upvotes: 1
Related Questions
- Anti XSS and Classic ASP
- How to prevent XSS attack from the ASP
- Protecting ASP.NET MVC 5 application from XSS
- Preventing Javascript and XSS attacks
- How can I prevent XSS attack in Asp.net Webforms?
- Classic ASP Cross-Site Scripting
- What is a good way to prevent websites from xss attacks
- Filtering Encoded XSS in Classic ASP
- Cross-site scripting in Classic ASP when writing javascript
- ASP.NET: Looking for solution to solve XSS