Last post Jun 24, 2014 04:08 PM by AidyF
Jun 24, 2014 03:14 PM|CraigGiles|LINK
Why is this label open to XSS and what should I add to fix the issue.
public static string ConvertStringToTitleCase(string value)
//Create CultureInfo and TextInfo classes to use ToTitleCase method
CultureInfo cultureInfo = Thread.CurrentThread.CurrentCulture;
TextInfo textInfo = cultureInfo.TextInfo;
if (value != null)
Jun 24, 2014 04:08 PM|AidyF|LINK
write that text direct to the screen, you are exposing your users to xss attacks. If you can absolutely verify that no malicious input could ever possibly be in "applicantName" then you could tentatively say you're safe. What you should do is this;
lbl_applicantName.Text = Server.HtmlEncode(Helper.ConvertStringToTitleCase(applicantName));
That's the real issue; that you're not encoding the data, the issue isn't so much what is inside your ConvertStringToTitleCase function (which you could actually make an extension method if you use it a lot, but that's beside the point).