none
Antixss decoding RRS feed

  • Question

  • Hi,

    I have a asp.net 3.5 application with at textbox that i enter a value <fef>@t<es>f.com I am trying to test a cross-side scripting attack.

    I hit submit and let the page post back. once the page has completed post back. I do a view source and see that the greater than(>) sign is decoded but the lessthan(<) isnt. Can anyone help me solve this issue. I have referenced antixss 4.2.1 and using the 3.5 framework version antixss dll.  I know in 4.0 and i have tested that we have to add httpruntime keys for antixss and the issue is resolved. and it looks good. But again in 3.5 same issue. Is there something i am missing?? Thanks is advanced for any responses 


    Cheers

    Tuesday, June 26, 2012 12:42 PM

Answers

  • In 3.5 you will need to call AntiXSS directly when setting properties on asp.net controls; for example

    control.Text = Microsoft.Security.Application.AntiXss.HtmlEncode(myVariable)

    Monday, July 16, 2012 10:38 PM
    Moderator