From the course: ASP.NET: Security

Unlock the full course today

Join today to access over 22,600 courses taught by industry experts or purchase this course individually.

Cross-site scripting (XSS): The defense

Cross-site scripting (XSS): The defense

From the course: ASP.NET: Security

Start my 1-month free trial

Cross-site scripting (XSS): The defense

- Since cross-site scripting is so common, it looks like a defense against it would be very hard, but no it isn't especially if Razor view engine there. The at character which can be used to output some things, so here a property of some variable. This at character HTML escapes prior to output. So if we are in an HTML context if we output something within plain HTML, then this already saves us from cross-site scripting. Because this escapes all special characters in HTML and the brackets single quotes and double quotes. What we could also do is call the HTMLEncode method of HTTP utility. I'm using the old Webform view engine for ASP.NET MVC here which was available in earlier versions of ASP.NET MVC just to show you how this would look like, but no need for us to do that and the built in HTML escape in there. However you have to be very, very careful when in your code you find or use the HTML.Raw HTMLHelper, as the name suggests this outputs the given value here without any escaping…

Contents