Active Server Pages/Protecting against user-input (XSS attacks)

From Wikibooks, open books for an open world
Jump to navigation Jump to search

To protect your users from Cross-site scripting (XSS) and similar attacks, you should escape both URLs and user-submitted text. In ASP this is done with two functions Server.HTMLEncode, and Server.URLEncode.

Server.HTMLEncode[edit | edit source]

Don't ever output non-escaped user data: 

Response.write user_data 'not safe

Instead do the following: 

Response.write Server.HTMLEncode( user_data )

This method should also be used for all data that comes from SQL. Better safe than sorry.

Server.URLEncode[edit | edit source]

To encode URLs that you insert into the href attribute of A tags, use the Server.URLEncode function, like this: 

<a href="http://foobar.com?<%= Server.URLEncode( "foo=bar" + "&baz=quz" ) %>">
Retrieved from "https://en.wikibooks.org/w/index.php?title=Active_Server_Pages/Protecting_against_user-input_(XSS_attacks)&oldid=4208259"