跨站点脚本和过滤器请求asp.net

Question

i need to write a generic routine which will filter cross site scripting related character. i found one that is in java. i dont know java.

here is java code

package com.greatwebguy.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class CrossScriptingFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
    this.filterConfig = filterConfig;
}
public void destroy() {
    this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException {
    chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
}

}

package com.greatwebguy.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public final class RequestWrapper extends HttpServletRequestWrapper {
public RequestWrapper(HttpServletRequest servletRequest) {
    super(servletRequest);
}
public String[] getParameterValues(String parameter) {
  String[] values = super.getParameterValues(parameter);
  if (values==null)  {
              return null;
      }
  int count = values.length;
  String[] encodedValues = new String[count];
  for (int i = 0; i < count; i++) {
             encodedValues[i] = cleanXSS(values[i]);
   }
  return encodedValues;
}
public String getParameter(String parameter) {
      String value = super.getParameter(parameter);
      if (value == null) {
             return null;
              }
      return cleanXSS(value);
}
public String getHeader(String name) {
    String value = super.getHeader(name);
    if (value == null)
        return null;
    return cleanXSS(value);
}
private String cleanXSS(String value) {
            //You'll need to remove the spaces from the html entities below
    value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
    value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
    value = value.replaceAll("'", "& #39;");
    value = value.replaceAll("eval\\((.*)\\)", "");
    value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
    value = value.replaceAll("script", "");
    return value;
}

}

<filter>
<filter-name>XSS</filter-name>
<display-name>XSS</display-name>
<description></description>
<filter-class>com.greatwebguy.filter.CrossScriptingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

the url from where i got this code http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/

anyone can give me the tips to convert the code to asp.net & c# or write class from scratch which mimic the above functionality. thanks.

Answer 1

Cross-site scripting can be avoided easily by ensuring that any user submitted content is HTML encoded prior to being rendered in the page. Usually this would be achieved by consistently using the <%: instead of the <%= ASPX tag to ensure that encoding is applied to the content. Attempting to "clean" input is doomed to failure. Rendering that input correctly is all that is required.

Answer 2

MSDN has a good article ' How to prevent Cross-Site scripting in ASP.NET '

You don't need half of that (Java) code to achieve the same result in asp.net.

Edit: as per Spenders recommendation here's another link, this time for MVC

Note: I'd still read the first article though for understanding the principles.