I have a search page by number in asp.net websform. I want to make the page so that it will prevent any cross site scripting .
Can anybody sugest me the best solution for this.?
I have a search page by number in asp.net websform. I want to make the page so that it will prevent any cross site scripting .
Can anybody sugest me the best solution for this.?
Copyright © 2021 Jogjafile Inc.
MSDN article "How To: Prevent Cross-Site Scripting in ASP.NET" goes into a lot of details on it. Partial content below.
Summary of Steps
To prevent cross-site scripting, perform the following steps:
Step 1. Check that ASP.NET request validation is enabled.
Step 2. Review ASP.NET code that generates HTML output.
Step 3. Determine whether HTML output includes input parameters.
Step 4. Review potentially dangerous HTML tags and attributes.
Step 5. Evaluate countermeasures.
Step 1. Check That ASP.NET Request Validation Is Enabled
By default, request validation is enabled in Machine.config. Verify that request validation is currently enabled in your server's Machine.config file and that your application does not override this setting in its Web.config file. Check that validateRequest is set to true as shown in the following code example.
You can disable request validation on a page-by-page basis. Check that your pages do not disable this feature unless necessary. For example, you may need to disable this feature for a page if it contains a free-format, rich-text entry field designed to accept a range of HTML characters as input. For more information about how to safely handle this type of page, see Step 5. Evaluate Countermeasures.
To test that ASP.NET request validation is enabled
Create an ASP.NET page that disables request validation. To do this, set ValidateRequest="false", as shown in the following code example.
<%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { // If ValidateRequest is false, then 'hello' is displayed // If ValidateRequest is true, then ASP.NET returns an exception Response.Write(txtString.Text); } </script> <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert('hello');</script>" /> <asp:Button id="btnSubmit" runat="server"
OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
Step 2. Review ASP.NET Code That Generates HTML Output
Step 3. Determine Whether HTML Output Includes Input Parameters
Analyze your design and your page code to determine whether the output includes any input parameters. These parameters can come from a variety of sources. The following list includes common input sources:
Step 4. Review Potentially Dangerous HTML Tags and Attributes Step 5. Evaluate Countermeasures
(© 2015 Microsoft, Terms of use)