Hi all..
Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc).
What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot potential vulnurabilities? - Or are regular expressions my best bet? :)
Thanks a lot
The Server in ASP.NET Page instances (accessible via Page i.e. this) offers a HtmlEncode() method that should suffice to prevent XSS attacks.
By default, without explicitly allowing it in either web.config or via a page directive, ASP.NET will reject any suspicious input with an error page.
OWASP Antisamy and OWASP ESAPI.
Of these, I would vote for ESAPI, since I've used the Java version of ESAPI to prevent XSS attacks. Keep in mind that plain HTML encoding of data will not prevent XSS. The context of the data is important as well - you will have to escape JavaScript if you are dynamically generating it and injecting it into the response at the server.
You got 3 nice choices for Cross-site Scripting protection:
I would try in this order.