locked
Preventing XSS RRS feed

  • Question

  • User-2097567671 posted

    Hi,

    How important is it to use HttpUtility.HtmlEncode() for entries like Name, Address, Phone, Email, etc. textboxes?  I want to make my application very secure, but I don't want to spend a lot of time doing things that are not that important.

    Thanks.

    Tuesday, July 10, 2012 10:54 AM

Answers

  • User1779161005 posted

    Security is hard because the defender has to protect every way in. The attacker has it easy because they only have to find one weakness.

    The basic issue is untrusted input. If the user is entering the data it's untrusted and it needs to be encoded. Also, if the value is coming from the database -- is that trusted data? Who entered it and was it scrubbed before persisting to the database? If tha value is coming from the config file -- is that trusted? What about the returned data from a web service call -- is that trusted?

    If you're in Razor then you automatically get HtmlEncoding. If you're in WebForms then you can use the <%: foo %> syntaxt to make it easier to get encoding (less typing).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 11:02 AM
  • User1779161005 posted

    Oh I was going to also mention -- the AntiXSS/WPL library on codeplex -- they have a Sanitizie API to clean data before you store it to the DB. This is a nice extra layer of protection.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 11:04 AM

All replies

  • User1779161005 posted

    Security is hard because the defender has to protect every way in. The attacker has it easy because they only have to find one weakness.

    The basic issue is untrusted input. If the user is entering the data it's untrusted and it needs to be encoded. Also, if the value is coming from the database -- is that trusted data? Who entered it and was it scrubbed before persisting to the database? If tha value is coming from the config file -- is that trusted? What about the returned data from a web service call -- is that trusted?

    If you're in Razor then you automatically get HtmlEncoding. If you're in WebForms then you can use the <%: foo %> syntaxt to make it easier to get encoding (less typing).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 11:02 AM
  • User1779161005 posted

    Oh I was going to also mention -- the AntiXSS/WPL library on codeplex -- they have a Sanitizie API to clean data before you store it to the DB. This is a nice extra layer of protection.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 10, 2012 11:04 AM
  • User-2097567671 posted

    Excellent!  Thanks for your reply and the great advice; it lines up exactly with other articles I have been reading.

    Tuesday, July 10, 2012 11:13 AM