How best to deal with cross-site scripting...

[mike55]

I am looking at dealing with cross-site scripting, one solution that I came across, involves setting the validateRequest = false in either the web.config (covers the entire project) or in the @Page tag in the source of individual pages. Once this change has been made it is necessary to use the cmds:

HttpUtility.HtmlEncode
and 
HttpUtility.HtmlDecode

to convert the data as you are collecting/ distributing to the page front and database.

Another solution suggested involves employing required field validators on all text fields.

Has anyone used any of these methods, and what are their impressions of them.

Mike55.

 

[bri189a]

I know Microsoft recommends what you wrote if your going to turn off that setting, they recommend leaving that setting on I believe. Those utility methods are pretty staight forward but it's one of those things if you have a bunch of controls you need to 'hand-roll validate' you really begin to wish .NET supported (natively) AOP.

 

[mike55]

Hi bri189a

From what I can see there is no general agreement on what you should do, there are a large number of suggestions but each seem to contradict the other i.e. one microsoft page said to set ValidateRequest = false and use the htmlencode and htmldecode, while another said that you shouldn't even consider setting the property to false.

What about employing a regular expression validator, that checks that the input is an alphanumeric character, however the problem arises in that if I want to use the "<" or ">" or any other symbol as input to a field I get an validation error.

Is there any possibility of catching the exception thrown by the asp.net page when it detects the input is a script?

Mike55.