Monday, July 12, 2010

XSS Prevention attack

Most web developer must know about RequestValidation configuration in .NET
which we can disable the XSS attack.

But If we want to disable 'RequestValidation' it so we can have flexibility to handle it, We can use Server.HtmlEncode(). to display it.

However this still not enough. This will expose to XSS attack.
My college (Rob) find a utility which nice to replace Server.HTMLEncode().

Download AntiXSSLibrary.dll
and replace Server.HTMLEncode() with AntiXss.UrlEncode();

http://msdn.microsoft.com/en-us/library/aa973813.aspx
http://blogs.msdn.com/b/cisg/archive/2008/08/26/what-is-microsoft-antixss.aspx

No comments: