prevent cross site scripting attack in asp.net

Question

I have a search page by number in asp.net websform. I want to make the page so that it will prevent any cross site scripting .

Can anybody sugest me the best solution for this.?

Answer 1

MSDN article "How To: Prevent Cross-Site Scripting in ASP.NET" goes into a lot of details on it. Partial content below.

---

Summary of Steps
To prevent cross-site scripting, perform the following steps:
Step 1. Check that ASP.NET request validation is enabled.
Step 2. Review ASP.NET code that generates HTML output.
Step 3. Determine whether HTML output includes input parameters.
Step 4. Review potentially dangerous HTML tags and attributes.
Step 5. Evaluate countermeasures.

Step 1. Check That ASP.NET Request Validation Is Enabled
By default, request validation is enabled in Machine.config. Verify that request validation is currently enabled in your server's Machine.config file and that your application does not override this setting in its Web.config file. Check that validateRequest is set to true as shown in the following code example.

<system.web>
  <pages buffer="true" validateRequest="true" />
</system.web>

You can disable request validation on a page-by-page basis. Check that your pages do not disable this feature unless necessary. For example, you may need to disable this feature for a page if it contains a free-format, rich-text entry field designed to accept a range of HTML characters as input. For more information about how to safely handle this type of page, see Step 5. Evaluate Countermeasures.

To test that ASP.NET request validation is enabled

1. Create an ASP.NET page that disables request validation. To do this, set ValidateRequest="false", as shown in the following code example.

   <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { // If ValidateRequest is false, then 'hello' is displayed // If ValidateRequest is true, then ASP.NET returns an exception Response.Write(txtString.Text); } </script> <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert('hello');</script>" /> <asp:Button id="btnSubmit" runat="server"
OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>

   2. Run the page. It displays Hello in a message box because the script in txtString is passed through and rendered as client-side script in your browser.
   3. Set ValidateRequest="true" or remove the ValidateRequest page attribute and browse to the page again. Verify that the following error message is displayed.

Step 2. Review ASP.NET Code That Generates HTML Output
Step 3. Determine Whether HTML Output Includes Input Parameters
Analyze your design and your page code to determine whether the output includes any input parameters. These parameters can come from a variety of sources. The following list includes common input sources:

Form fields, such as the following.
Response.Write(name.Text);
Response.Write(Request.Form["name"]);
Query Strings
Response.Write(Request.QueryString["name"]);

Query strings, such as the following:
Response.Write(Request.QueryString["username"]);

Databases and data access methods, such as the following:
SqlDataReader reader = cmd.ExecuteReader();
Response.Write(reader.GetString(1));

Be particularly careful with data read from a database if it is shared by other applications.
Cookie collection, such as the following:
Response.Write(
Request.Cookies["name"].Values["name"]);

Session and application variables, such as the following:
Response.Write(Session["name"]);
Response.Write(Application["name"]);

Step 4. Review Potentially Dangerous HTML Tags and Attributes Step 5. Evaluate Countermeasures

(© 2015 Microsoft, Terms of use)