I\'ve been reading a lot of articles about XSS and HttpUtility.HtmlEncode in asp.Net.
Could it really be as simple as using HtmlEncode to protect myself from XSS, it just seems to easy...
Is there a way to inject code even if I use HtmlEncode on my output?

javascript:alert(1)

and others

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Thanks for your response but is there something that could be added to the textbox that would work?

<textarea><%= HttpUtility.HtmlEncode(userdata) %></textarea>

<input type="text" value="<%= encodeForHtmlAttribute(userdata) %>" />

I'm with you in taking care of what encoding to use where but what is encodeForHtmlAttribute?
I've never heard about it but some googling led me to something called OWASP ASAPI, could that be what you mean?

there are many different contexts that data can be placed into. Each of these contexts define what they consider special characters. In many cases, what is considered special in one context is different for another context.

In the example I provided, the value of an HTML textbox gets placed inside the value attribute of the input tag. Therefore, a purest would look for a function called encodeForHTMLAttribute to properly encode this value. If HttpUtility doesn't provide for one, you may still be safe using the HtmlEncode function. I don't know, as I am not a .Net expert.

If you think it would be better to use the OWASP ESAPI, then you would have a "proper" function, but that is up to you. I do not know the security reqs of your app, or the time required to integrate with ESAPI.

I would look at it if I had time, and it was a low cost integration. Otherwise, I would just go with what HttpUtility offered.


-Matt

Thank you for the help, now I have a better understanding of what to look for, I really appreciate your time

Glad to help.


-Matt