views:

289

answers:

1

I've downloaded and looked at the Microsoft AntiXSS library, but I'm not 100% sure I need to use it for server controls (asp:textbox, etc). Everything is fine when I use it with a standard html control (input, etc). It looks like the output is encoded twice when I use the antixss lib on the server controls.

I'm currently only using the antixss lib for the standard html controls. Am I protected from cross site scripting by using the server controls and is this the best practice?

+2  A: 

Unfortunately, the HTML encoding story for the server controls isn't consistent, such that you can say that using server controls will automatically solve the problem. See What's wrong with ASP.NET? HTML encoding for a table of which server controls need you to manually encode their output.

bdukes
Thanks @bdukes. It looks like the answer is a resounding "sometimes" or "maybe". Uggh.
Tim