Can anybody list down the techniques and security measures for XSS prevention in MVC dot net?
Asked
Active
Viewed 118 times
0
-
You may use AntiXSSEncoder : https://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder%28v=vs.110%29.aspx – Mox Shah Feb 27 '15 at 06:51
-
refer this link http://code.tutsplus.com/tutorials/preventing-xss-in-aspnet--cms-21801 – Frebin Francis Feb 27 '15 at 06:52
2 Answers
0
In our project we prevent XSS from client side it self by overriding jQuery's .val() function, so the idea behind this is to whenever we get the value from textbox we always get it in encoded by using following overridden function:
var shouldBeEncoded = true;
//Overriding val() function of jQuery
(function ($) {
var originalVal = $.fn.val;
$.fn.val = function() {
if(shouldBeEncoded)
{
//using .text() function of jQuery to encode textas it's xss safe
return $("<div/>").text(this[0].value).html();
}
else
{
return this[0].value;
}
};
})(jQuery);
$("#btnEnc").click(function(){
shouldBeEncoded = true;
$("#withEncoding").html("Encoded : " + $("#txt").val());
});
$("#btnNoEnc").click(function(){
shouldBeEncoded = false;
console.log($("#txt").val());
$("#withtouEncoding").html("Without Encoded : " + $("#txt").val());
});<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<input type="text" id="txt" value="<script>alert(1)</script>" />
<input type="button" value="Show me with encoding" id="btnEnc" />
<input type="button" value="Show me without encoding" id="btnNoEnc" />
<div id="withEncoding"></div>
<div id="withtouEncoding"></div>
Mox Shah
- 2,967
- 2
- 26
- 42
0
Have a look at this answer Is also a good idea to validate your site with tools like AsafaWeb, not just for XSS but for a wider range of issues.
