By bloid
via ivanuzunov.net
Published: Nov 16 2006 / 10:55
The best way to avoid XSS is to HTMLEncode while displaying the user input data. But sometimes the user is allowed to add HTML content to the web site. In this case HTMLEncoding is not an option. The solution is to replace all the potentially malicious data.
SaveShareSend
Tags: .net, javascript
-
Introducing Rack::Cache
-
.NET Code Contracts and TDD Are Complementary
-
Visual Studio 2008 extensions for SharePoint : Project Templates or Item Templates
-
Chain of Responsibility Using Castle Windsor and a First Experience With StructureMap - Part 1
-
Building reusable Django apps
-
Morph Labs Expands Its Cloud Services to Support PHP Applications
Comments
samus replied ago:
When I read that last line about replacing the potentially malicious data, I almost groaned. I thought here is another article that is going to show how to use black listing and how to clean up the data when something bad comes up. That is about the worst way to handle your input. However what the article does show is more of a white listing approach. Encode everything and then decode what is allowed. It actually seems kind of reasonable as long as the list of allowed tags is small.
Voters For This Link (8)
Voters Against This Link (0)