So I'm setting up my form validation, inputs, error messages etc... and then realized a lot of the info that I'm collecting will need to be output again at some point.
So I wrapped my inputs in:
Server.HtmlEncode(txtbox.text);
What else should I be doing to ensure that i avoid XSS types of attacks? Should I be be doing something when I write the data to the page as well?
From a security point of view, our Web forms are naked and 100% vulnerable. We need to look at all the ways data is passed to them and test as appropriate:
* Form Fields
* URL Query Strings
* Cookies
* Database
* ViewState
MSDN Design Guidelines for Secure Web Applications: http://msdn.microsoft.com/en-us/library/aa302420.aspx
Microsoft Anti-Cross Site Scripting Library: http://msdn.microsoft.com/en-us/security/aa973814.aspx
The Code Analysis Tool (CAT.NET): http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
ASP.NET Data Input Validation: http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx:
EDIT: Coming soon, the new Web Protection Library CTP: http://blogs.msdn.com/securitytools/archive/2009/10/17/web-protection-library-ctp-release-coming-soon.aspx
I suggest to HtmlEncode when you output data to the page, not when you collect it. From Stack Overflow podcast #58:
Don’t HTML encode data that’s stored in your database! Take the good advice of Damien Guard and Joel Spolsky! You can choose to store both representations, but don’t store just the HTML; go with the raw data at the highest level of precision.
Links