From the course: ASP.NET: Security
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Cross-site scripting (XSS): The defense
From the course: ASP.NET: Security
Cross-site scripting (XSS): The defense
- Since cross-site scripting is so common, it looks like a defense against it would be very hard, but no it isn't especially if Razor view engine there. The at character which can be used to output some things, so here a property of some variable. This at character HTML escapes prior to output. So if we are in an HTML context if we output something within plain HTML, then this already saves us from cross-site scripting. Because this escapes all special characters in HTML and the brackets single quotes and double quotes. What we could also do is call the HTMLEncode method of HTTP utility. I'm using the old Webform view engine for ASP.NET MVC here which was available in earlier versions of ASP.NET MVC just to show you how this would look like, but no need for us to do that and the built in HTML escape in there. However you have to be very, very careful when in your code you find or use the HTML.Raw HTMLHelper, as the name suggests this outputs the given value here without any escaping…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
(Locked)
OWASP Top 103m 36s
-
(Locked)
Cross-site scripting (XSS): The attack5m 10s
-
(Locked)
Cross-site scripting (XSS): The defense4m 18s
-
(Locked)
Cross-site scripting (XSS) in JavaScript5m 19s
-
(Locked)
Same-origin policy and CORS5m 12s
-
(Locked)
Enabling CORS in ASP.NET Web API6m 20s
-
(Locked)
SQL injection with ADO.NET3m 56s
-
(Locked)
SQL injection with Entity Framework3m 32s
-
(Locked)
Fixing SQL injection4m 27s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 40s
-
(Locked)
Defending against CSRF4m 24s
-
(Locked)
-
-
-
-