Can I use server htmlEncode to protect against XSS?

337    Asked by AndreaBailey in Cyber Security , Asked on Feb 7, 2022

 Using classic ASP, is this the right way to protect against XSS?

var1=untrusted user input
Showing a text in the body
<%=server.htmlencode(var1)%>
Showing a link in the body
Showing an image
" >"><>< style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Showing an iframe
<iframe src="http://www.example.com/page.asp?var1=<%=server.urlencode(var1)%>"></iframe>
In meta tags
<meta name="description" content="<%=server.htmlencode(var1)%>">
In forms
<input type="text" name="var1" value="<%=server.htmlencode(var1)%>">
In email

Answered by ankur Dwivedi

”>

Here you are here injecting content into a URL component, inside HTML. So in principle the correct thing to do would be to URL-encode the variable, and then HTML-encode the output of that: "> However, in reality the shorter form with just URLEncode is still safe because it just so happens that the output of URLEncode never produces any character that is special in HTML. So that's fine.

” >(><>


Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com