You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: aspnetcore/security/cross-site-scripting.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,7 @@ ms.author: tdykstra
6
6
monikerRange: '>= aspnetcore-3.1'
7
7
ms.date: 2/15/2020
8
8
uid: security/cross-site-scripting
9
+
ai-usage: ai-assisted
9
10
---
10
11
# Prevent Cross-Site Scripting (XSS) in ASP.NET Core
11
12
@@ -22,8 +23,8 @@ To prevent XSS attacks, web APIs should implement input validation and output en
22
23
At a basic level, XSS works by tricking your application into inserting a `<script>` tag into your rendered page, or by inserting an `On*` event into an element. Developers should use the following prevention steps to avoid introducing XSS into their applications:
23
24
24
25
1. Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Untrusted data is any data that may be controlled by a cyberattacker, such as HTML form inputs, query strings, HTTP headers, or even data sourced from a database, as a cyberattacker may be able to breach your database even if they can't breach your application.
25
-
1. Before putting untrusted data inside an HTML element, ensure it's HTML encoded. HTML encoding takes characters such as < and changes them into a safe form like &lt;.
26
-
1. Before putting untrusted data into an HTML attribute, ensure it's HTML encoded. HTML attribute encoding is a subset of HTML encoding and encodes double quote ("), single quote ('), ampersand (&), and less-than (<) characters.
26
+
1. Before putting untrusted data into an HTML element, ensure thatt it's HTML encoded. HTML encoding takes characters such as < and changes them into a safe form like &lt;.
27
+
1. Before putting untrusted data into an HTML attribute, ensure that it's HTML attribute encoded. This specialized form of HTML encoding handles double quotes (\"), single quotes ('\), ampersands (\&), and less-than (\<) characters. When dealing with untrusted input, use HTML encoding for general HTML content and HTML attribute encoding for HTML attributes.
27
28
1. Before putting untrusted data into JavaScript, place the data in an HTML element whose contents you retrieve at runtime. If this isn't possible, then ensure the data is JavaScript encoded. JavaScript encoding takes dangerous characters for JavaScript and replaces them with their hex, for example, < would be encoded as `\u003C`.
28
29
1. Before putting untrusted data into a URL query string ensure it's URL encoded.
0 commit comments