How to prevent Cross site scripting XSS using MVC 3

Question

Possible Duplicate:
How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

Hi I need to create a guest book, where users can add their comments and have theme being displayed without moderation on a page.

I'm using Asp.Net MVC 3 in C#.

Could you point me out some tecnics? thanks

Thanks for your time.

PS I'm using Razor

This question is answered at: http://stackoverflow.com/questions/3955658/how-do-you-avoid-xss-vulnerabilities-in-asp-net-mvc — Eric Cornelson, Jul 19 '12 at 13:31
@GibboK... which view engine are you using? razor or asp.net? — spender, Jul 19 '12 at 13:32
@Shyju , question is about XSS, **not** CSRF. There's a difference. — spender, Jul 19 '12 at 13:33

spender · Answer 1 · 2012-07-19T13:38:02.333

Just make sure all user generated content is HTML encoded before you write it to the browser and you'll be fine. Razor view engine does this by default... it's actually quite hard to screw up on this using Razor.

So:

@"<script>badness</script>"

in Razor would render in HTML as

&lt;script&gt;badness%lt;/script&gt;

to achieve the same in ASP.NET view engine use <%:expression%> as opposed to <%=expression%>

<%:"<script>badness</script>"%>

score 1 · Answer 2 · answered Jul 19 '12 at 13:32

You could you the AntiXSS library. This is mentioned by:

How to prevent Cross site scripting XSS using MVC 3

2 Answers2