From the course: ASP.NET: Security
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Cross-site scripting (XSS) in JavaScript
From the course: ASP.NET: Security
Cross-site scripting (XSS) in JavaScript
- [Instructor] You may have noticed that I insisted that we are in an HTML context while we were discussing both how crosshead scripting works and how to mitigate that. And indeed that's important because if we are in a JavaScript context, some things change. Let's have a look at the application. Here we are putting the user's input directly into a JavaScript string and then put that string into our H1 heading further up on the page. And this is the problem. We have the at character here which means that opening and closing angled brackets are escape for HML. Single and double quotes are escape, and the ampersand character is escaped as well. But within a JavaScript string, there are other special character which are not taken into account here. One very obvious special character is here. Well, first of all, the single quote because it delimits the string. But that's been taken care of. However, what else is a special character within a JavaScript string? Quite obviously, it's the…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
(Locked)
OWASP Top 103m 36s
-
(Locked)
Cross-site scripting (XSS): The attack5m 10s
-
(Locked)
Cross-site scripting (XSS): The defense4m 18s
-
(Locked)
Cross-site scripting (XSS) in JavaScript5m 19s
-
(Locked)
Same-origin policy and CORS5m 12s
-
(Locked)
Enabling CORS in ASP.NET Web API6m 20s
-
(Locked)
SQL injection with ADO.NET3m 56s
-
(Locked)
SQL injection with Entity Framework3m 32s
-
(Locked)
Fixing SQL injection4m 27s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 40s
-
(Locked)
Defending against CSRF4m 24s
-
(Locked)
-
-
-
-