4

I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ?

I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ?

Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?

Thanks,

Oded
  • 489,969
  • 99
  • 883
  • 1,009
Anil Namde
  • 6,452
  • 11
  • 63
  • 100

2 Answers2

4

These are the basics:

  • Do not allow HTML input
  • Always html encode input when displaying it
  • Use the AntiXSSLibrary from Microsoft, or a similar library
Oded
  • 489,969
  • 99
  • 883
  • 1,009
  • Although people always say "do not modify user input when inserting it to the DB" which may contain HTML... – Dor Mar 11 '10 at 13:49
  • @Dor - Where did I say anything about inserting to DB? – Oded Mar 11 '10 at 13:51
  • You didn't, but when you receive input from the user, you usually insert that to the database. – Dor Mar 11 '10 at 13:52
  • Then how to deal with situation where we have to insert data into the database ? should we restrict the user while entering the data on client side ? – Anil Namde Mar 11 '10 at 14:29
  • 1
    You insert into the DB what the client entered. When you display the data, html encode it (or use the AntiXSS Library). – Oded Mar 11 '10 at 14:44
  • @Anil Namde: Never trust the client-side limitations that you reflect on the user! Those limitations are for user convenience only! – Dor Mar 11 '10 at 17:54
2

Check it out: Allowing HTML and Preventing XSS @ shiflett.org

Dor
  • 7,344
  • 4
  • 32
  • 45