Hi All,
I currently have a single asp.net page that displays a grid with a single column with rich text in it. This is a logical 3-tier app. The bll returns a collection to the ui to bind to the grid.
Currently, when you edit the column it gives you a rich text editor and all the data get saved to a database.
With the way it's designed now what's the best way to use Microsoft's Anti-XSS library or is it even possible? Do I need to redesign?
Thanks, rod.
I don't think you need to redesign necessarily, you might want to add the AntiXSS piece to your BLL is all.
To avoid XSS attacks, you need to accept user input from the rich text editor and save that to your database. Then when the user input is returned from the database to the screen, you need to encode it so that <script> tags don't get rendered out as <script>, they get rendered as <script> which will stop them executing in the browser.
Since you say that your BLL returns a collection to the UI, I should say that the point you need to be calling the AntiXSS encoding methods is the point at which the collection is created from the rows in the database. If you post the relevant section of your code, we should be able to see exactly where the changes are needed.