Active Server Pages/Protecting against user-input (XSS attacks)

From Wikibooks, the open-content textbooks collection

Jump to: navigation, search

To protect against user input, or the now vulnerable XSS attacks, you'll need to escape both URLs and user-inputted text for HTML. In ASP this is done with two functions Server.HTMLEncode, and Server.URLEncode.

[edit] Server.HTMLEncode

Don't ever output non-escaped user data:

Response.write user_data

Instead do the following:

Response.write Server.HTMLEncode( user_data )

This method should also be used for all data that comes from sql. Better safe than sorry.

[edit] Server.URLEncode

URL-Encoding is more for the purpose of HTML validation. To be valid HTML all '&' (&) and '=' must be encoded. The function Server.URLEncode takes care of that task for you. All query-strings should be url-encoded.

<a href="http://foobar.com?<%= Server.URLEncode( "foo=bar" + "&baz=quz" ) %>">
Retrieved from "http://en.wikibooks.org/wiki/Active_Server_Pages/Protecting_against_user-input_(XSS_attacks)"