In HTMLENCODE or not on HTMLENCODE user login in web form (asp.net vb)

Question

I have many options that make up the insert form, for example:

x.Parameters.AddWithValue("@city", City.Text)

This morning I had an unsuccessful xss attack on the site, so I'm still trying to strengthen security measures ....

Should I add my input parameters as follows?

x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text))

Is there anything else I should consider to avoid attacks?

0

Phil Jun 03 '10 at 8:48

2 answers

, , htmlEncode() expecct, . OWASP:

HTML- ?
HTML- , HTML, . , , . HTML , , onmouseover CSS, URL-. , HTML , - XSS. escape HTML-, . .

, , XSS. 7 , .

+1

Cheekysoft 03 . '10 11:25

Quentin · Accepted Answer · 2010-06-03T08:49:57+0000

. . - , PDF Word ( - ), , HTML.

, .

, , .

HTML-, , HTML.

... ..