stackoom
  简体   繁体   中英

XSS mitigation in HTML/VBScript/Classic ASP

 原文  2011-10-26 19:57:57       html/ asp-classic/ xss

Question

I'm faced with the following hypothetical XSS vulnerability in my web code:

original code: <INPUT TYPE=HIDDEN NAME='acctno' VALUE='" &Session("acctno")& "'>

hacked code: <INPUT TYPE=HIDDEN NAME='acctno' VALUE='12345'/><script>alert(98765)</script>

Can I mitigate this simply by adding HTMLEncode to the session variable in the value field?
Thanks.

1 answers

solution1
 1 ACCPTED  2011-10-26 19:59:32

Exactly. You need to HTML encode all text that gets inserted into the HTML.

You also need to Javascript-encode any text that gets inserted into Javascript code, and you need to URL-encode any text that gets inserted into URLs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Classic ASP (VBScript) convert HTML codes to plain text vbscript dropdown in function without using HTML (classic ASP) Alphabetic pagination classic ASP vbscript Vbscript classic asp custom classes How do I convert an HTML page to a PDF using Classic ASP VBScript? Updating sql server through classic asp and vbscript Calling a vbscript funciton to update a SQL table from an HTML form generated on an asp-classic page Classic ASP: Call a VBscript function in form which is returned by a VBScript Button Click for asp to Delete Row in SQL server - classic asp and vbscript Javascript not working, classic asp, HTML
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM