@@ -11,17 +11,33 @@ without properly sanitizing the input first, allows for a cross-site scripting v
1111</overview >
1212<recommendation >
1313
14- <p >To guard against cross-site scripting, consider using contextual output encoding/escaping before
15- writing user input to the page, or one of the other solutions that are mentioned in the
16- references.</p >
14+ <p >
15+ To guard against cross-site scripting, consider using a library providing suitable encoding
16+ functionality, such as the <code >System.Net.WebUtility</code > class or the AntiXSS library,
17+ to sanitize the untrusted input before writing it to the page.
18+ The references also mention other possible solutions.
19+ </p >
1720
1821</recommendation >
1922<example >
2023
21- <p >The following example shows the page parameter being written directly to the server error page,
22- leaving the website vulnerable to cross-site scripting.</p >
23-
24+ <p >
25+ The following example shows the page parameter being written directly to the server error page,
26+ leaving the website vulnerable to cross-site scripting.
27+ </p >
2428<sample src =" XSS.cs"
29+ <p >
30+ Sanitizing the user-controlled data using <code >WebUtility.HtmlEncode</code > method prevents the vulnerability:
31+ </p >
32+ <sample src =" XSSGood.cs"
33+ <p >
34+ Alternatively, the AntiXSS library can be used to sanitize the user-controlled data:
35+ </p >
36+ <sample src =" XSSGood2.cs"
37+ <p >
38+ Recall that this solution requires the AntiXSS library to be installed, for example by
39+ adding a package reference to the AntiXSS NuGet package to the project file.
40+ </p >
2541
2642</example >
2743<references >
3551<li >
3652Wikipedia: <a href =" http://en.wikipedia.org/wiki/Cross-site_scripting" a >.
3753</li >
54+ <li >
55+ AntiXSS: <a href =" https://www.nuget.org/packages/AntiXss" a >.
56+ </li >
3857
3958
4059</references >
0 commit comments