I working on XSS(cross site scripting) issues of my web application. The app has many user controls that take user inputs.
I came across this article http://www.asp.net/whitepapers/request-validation
Can you please answer the below questions:
Are there any downsides of using validateRequest="true" at application level (in web.config)?
Is there any better way to fix XSS issues apart from going on each and every control and doing HTML encode?
Thanks in advance.
Something that initially springs to mind is the following:
If you are retrospectively adding validateRequest to a site then any user input that contained malicious scripts that you have already captured and stored in a database is still a vulnerability for your application, validateRequest wont protect you here, HTML Encoding will.
It may be a pain to plough your way through your app and HTML Encode everything, if you are really bothered then this is a necessary evil. Hackers are always coming up with new methods. If you use a Library you will have to wait for updates to patch new holes, while leaving your site vulnerable - I believe HTML Encode is your best weapon to defend against XSS attacks.
Having said that, give this a quick read:
