How important is it to use HttpUtility.HtmlEncode() for entries like Name, Address, Phone, Email, etc. textboxes? I want to make my application very secure, but I don't want to spend a lot of time doing things that are not that important.
Security is hard because the defender has to protect every way in. The attacker has it easy because they only have to find one weakness.
The basic issue is untrusted input. If the user is entering the data it's untrusted and it needs to be encoded. Also, if the value is coming from the database -- is that trusted data? Who entered it and was it scrubbed before persisting to the database?
If tha value is coming from the config file -- is that trusted? What about the returned data from a web service call -- is that trusted?
If you're in Razor then you automatically get HtmlEncoding. If you're in WebForms then you can use the
<%: foo %> syntaxt to make it easier to get encoding (less typing).
Oh I was going to also mention -- the AntiXSS/WPL library on codeplex -- they have a Sanitizie API to clean data before you store it to the DB. This is a nice extra layer of protection.
mattcase
Member
374 Points
518 Posts
Preventing XSS
Jul 10, 2012 02:54 PM|LINK
Hi,
How important is it to use HttpUtility.HtmlEncode() for entries like Name, Address, Phone, Email, etc. textboxes? I want to make my application very secure, but I don't want to spend a lot of time doing things that are not that important.
Thanks.
BrockAllen
All-Star
27438 Points
4893 Posts
MVP
Re: Preventing XSS
Jul 10, 2012 03:02 PM|LINK
Security is hard because the defender has to protect every way in. The attacker has it easy because they only have to find one weakness.
The basic issue is untrusted input. If the user is entering the data it's untrusted and it needs to be encoded. Also, if the value is coming from the database -- is that trusted data? Who entered it and was it scrubbed before persisting to the database? If tha value is coming from the config file -- is that trusted? What about the returned data from a web service call -- is that trusted?
If you're in Razor then you automatically get HtmlEncoding. If you're in WebForms then you can use the <%: foo %> syntaxt to make it easier to get encoding (less typing).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
BrockAllen
All-Star
27438 Points
4893 Posts
MVP
Re: Preventing XSS
Jul 10, 2012 03:04 PM|LINK
Oh I was going to also mention -- the AntiXSS/WPL library on codeplex -- they have a Sanitizie API to clean data before you store it to the DB. This is a nice extra layer of protection.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mattcase
Member
374 Points
518 Posts
Re: Preventing XSS
Jul 10, 2012 03:13 PM|LINK
Excellent! Thanks for your reply and the great advice; it lines up exactly with other articles I have been reading.