Do I need additional XSS protection for ASP.NET 4 websites?

Question

Do I need additional XSS protection for ASP.NET 4 websites?

From what I understand about what ASP.NET does, and from my personal testing of various XSS tests, I find that no XSS prevention is required on my ASP.NET 4 website.

Do you think the ASP.NET 4.0 website needs more XSS security than its default settings? I cannot enter javascript or any tags into my text fields, which are then immediately printed on the page.

+5

security asp.net xss

Dexter Aug 1 '11 at 20:28

source share

2 answers

, Dexter, ASP.NET 4 XSS. , , , , . - , .

, XSS, XSS, . XSS, , , , . , (HTML, JavaScript, CSS). AntiXSS .

, ASP.NET OWASP Top 10 .NET 2: (XSS).

+4

Troy Hunt 01 . '11 22:02

David · Accepted Answer · 2011-08-01T20:31:51+0000

Disclaimer - this is based on a very paranoid definition of what a “reliable conclusion” is, but when it comes to securing the Internet, I don’t think you MAY be too paranoid.

Taken from the OWASP page linked below: Invalid data is most often the data coming from an HTTP request, in the form of URL parameters, form fields, headers or cookies. But the data coming from the database, web services and other sources often do not trust in terms of security. That is, perhaps this was not entirely confirmed.

, HTML. , , .. - , . , - script.

, , , script -.

- , , ( ) script , .

, : https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

.

, Microsoft.AntiXss - . HtmlEncode , GetSafeHtmlFragment(), HTML . : http://msdn.microsoft.com/en-us/library/aa973813.aspx , .

Do I need additional XSS protection for ASP.NET 4 websites?

More articles: