What is the way(best practice) to deal with XSS ? | ansaurus

tags:

views:

92

answers:

2

+3 Q:

What is the way(best practice) to deal with XSS ?

I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ?

I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ?

Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?

Thanks,

+4 A:

These are the basics:

Do not allow HTML input
Always html encode input when displaying it
Use the AntiXSSLibrary from Microsoft, or a similar library

Oded 2010-03-11 13:44:48

Although people always say "do not modify user input when inserting it to the DB" which may contain HTML...

Dor 2010-03-11 13:49:40

@Dor - Where did I say anything about inserting to DB?

Oded 2010-03-11 13:51:13

You didn't, but when you receive input from the user, you usually insert that to the database.

Dor 2010-03-11 13:52:08

Then how to deal with situation where we have to insert data into the database ? should we restrict the user while entering the data on client side ?

Anil Namde 2010-03-11 14:29:09

You insert into the DB what the client entered. When you display the data, html encode it (or use the AntiXSS Library).

Oded 2010-03-11 14:44:09

@Anil Namde: Never trust the client-side limitations that you reflect on the user! Those limitations are for user convenience only!

Dor 2010-03-11 17:54:19

+2 A:

Check it out: Allowing HTML and Preventing XSS @ shiflett.org

Dor 2010-03-11 13:53:58

related questions

Web framework programming mindset

ASP.NET - asp:xxx Controls versus standard HTML

From Desktop to Web browser considerations

Which PHP Framework will get me to a usable UI the fastest?

Best practice for integrating TDD with web application development?

How to Manage Web Development?

When is a file just a file?

Recommendations for browser add-on tools to help with development

REALLY Simple Website--How Basic Can You Go?

Convince Firefox to send an If-Modified-Since header over HTTPS

What do the getUTC* methods on the date object do?

Planning and Building a mobile enabled site for your main site.

Firebug for IE

Javascript and PHP - Login Script with hidden buttons

Firebug won't display console feeds for some of my sites

Displaying ad content from Respose.WriteFile()/ Response.ContentType

How can I detect if a browser is blocking an popup?

How to Test Web Code?

What PHP framework would you choose for a new application and why?

How do you disable browser Autocomplete on web form field / input tag?

What is Progressive Enhancement?

In HTML, how to word-break on a dash?

The Definitive Guide To Website Authentication

How do you test layout design across multiple browsers/OSs?

How much of the Web build process do you/should you automate?