In this article, I will explain about how to prevent XSS Attacks. XSS (Cross-Site Scripting) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. For sites that allow user input to be displayed in the browser, cross site scripting (XSS) attacks are a possibility that must be protected against. These attacks are carried out by placing <script> tags pointing to malicious code in the public facing elements, which can be persisted elements such as comments or reviews, or more ephimeral examples such as query variables in the url. The aim of these attacks varies, but some examples are stealing sensitive information (login credentials, personal data), forcing redirects, or just about anything else that can be accomplished with JavaScript. These attackes can be prevented by encoding input. So instead of the literal string <script>bad script code</script>, it becomes <script>bad script code</script>, and instead of running the code, it will simply display the text content of the script.
According to Microsoft, the primary purpose of the HttpUtility.HtmlEncode method is to ensure that ASP.NET output does not break HTML; it's purpose is not necessarily security. However, the AntiXssEncoder class is primarily designed for security. To this end, it uses a white-list approach rather than a black-list, only allowing known safe characters to remain unencoded. The AntiXss method is slightly less performant, and will work in multiple languages.
It is possible to set the AntiXssEncoder as the default for your application, and this has gotten steadily easier. Phil Haack wrote in 2010 about doing this using a the HttpEncoder abstract base class, and Jon Galloway wrote in 2011 about doing it with version 4.1 which already included an encoder, so it required little more than adding the assembly to the project and changing the web.config file. Since AntiXss can now be had in NuGet, it's as simple as installing it and setting the httpRuntime encoderType property:
<system.web>
<httpRuntime targetFramework="4.5"
encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>
</system.web>
HostForLIFE.eu ASP.NET 4.5 Hosting
European best, cheap and reliable ASP.NET hosting with instant activation. HostForLIFE.eu is #1 Recommended Windows and ASP.NET hosting in European Continent. With 99.99% Uptime Guaranteed of Relibility, Stability and Performace. HostForLIFE.eu security team is constantly monitoring the entire network for unusual behaviour. We deliver hosting solution including Shared hosting, Cloud hosting, Reseller hosting, Dedicated Servers, and IT as Service for companies of all size.