From the course: ASP.NET: Security
Join today to access over 24,800 courses taught by industry experts.
Cross-site scripting (XSS): The defense
From the course: ASP.NET: Security
Cross-site scripting (XSS): The defense
- Since cross-site scripting is so common, it looks like a defense against it would be very hard, but no it isn't especially if Razor view engine there. The at character which can be used to output some things, so here a property of some variable. This at character HTML escapes prior to output. So if we are in an HTML context if we output something within plain HTML, then this already saves us from cross-site scripting. Because this escapes all special characters in HTML and the brackets single quotes and double quotes. What we could also do is call the HTMLEncode method of HTTP utility. I'm using the old Webform view engine for ASP.NET MVC here which was available in earlier versions of ASP.NET MVC just to show you how this would look like, but no need for us to do that and the built in HTML escape in there. However you have to be very, very careful when in your code you find or use the HTML.Raw…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
(Locked)
OWASP Top 102m 49s
-
(Locked)
Cross-site scripting (XSS): The attack5m 10s
-
(Locked)
Cross-site scripting (XSS): The defense4m 18s
-
(Locked)
Cross-site scripting (XSS) in JavaScript5m 19s
-
(Locked)
Same-origin policy and CORS5m 12s
-
(Locked)
SQL injection with ADO.NET3m 56s
-
(Locked)
SQL injection with Entity Framework3m 32s
-
(Locked)
Fixing SQL injection4m 27s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 40s
-
(Locked)
Defending against CSRF4m 40s
-
(Locked)
-
-
-
-