Check Request validation is enabled
<system.web>
<pages buffer="true" validateRequest="true" />
</system.web>
<%@ Page Language="C#" ValidateRequest="false" %>
Encode HTML output.
Response.Write(HttpUtility.HtmlEncode(Request.Form["test"]));
<system.web>
<pages buffer="true" validateRequest="true" />
</system.web>
<%@ Page Language="C#" ValidateRequest="false" %>
Encode HTML output.
Response.Write(HttpUtility.HtmlEncode(Request.Form["test"]));
Encode URL Output
Response.Write(HttpUtility.UrlEncode(urlString));
Filter User Input
- Disable ValidateRequest="false" in @page directive
- Encode string input with HtmlEncode.
- Use StringBuilder to Replace
sb.Replace("<b>", "<b>");
Set the Correct Character Encoding
<meta http-equiv="Content Type"
content="text/html; charset=ISO-8859-1" />
OR
<% @ Page ResponseEncoding="iso-8859-1" %>
content="text/html; charset=ISO-8859-1" />
OR
<% @ Page ResponseEncoding="iso-8859-1" %>
<configuration>
<system.web>
<globalization
requestEncoding="iso-8859-1"
responseEncoding="iso-8859-1"/>
</system.web>
</configuration>
<system.web>
<globalization
requestEncoding="iso-8859-1"
responseEncoding="iso-8859-1"/>
</system.web>
</configuration>
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.