How to clean ashx url from cross-site scripting?
Question
For example I have a handler MyPage.ashx?parameter=1¶meter=2
if someone added to the end of the url <script>alert('Test')</script>
MyPage.ashx?parameter=1¶meter=2<script>alert('Test')</script>
javascript will be executed on client side
Is there anyway to clean url from cross-site scripting?
2 answers
solution1
1 2011-06-09 16:12:40
The javascript is only being executed because you are outputting user input raw.
If your ashx needs to output parameters you must encode them suitable. Assuming you are creating HTML in your ashx page you need to HtmlEncode the parameter value before you output it. There are different encoding methods for particular types, it's hard to tell which needs to be used without more details of the ashx script.
solution2
0 2011-06-09 14:59:07
Check ASP.NET Request Validation
In addition to that you should never render request input parameters unescaped or unvalidated back to the client.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.