Part 56 How to prevent cross site scripting attack
Link for code samples used in the demo
http://csharp-video-tutorials.blogspot.com/2013/07/part-56-how-to-prevent-cross-site.html
Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.
https://www.youtube.com/channel/UC7sEwIXM_YfAMyonQCrGfWA/?sub_confirmation=1
Link for csharp, asp.net, ado.net, dotnet basics, mvc and sql server video tutorial playlists
http://www.youtube.com/user/kudvenkat/playlists
Make sure to replace [ with LESSTHAN and ] with GREATERTHAN symbol.
In this video, we will discuss preventing XSS while allowing only the HTML that we want to accept. For example, we only want to accept BOLD and UNDERLINE tags.
To achieve this let's filter the user input, and accept only BOLD and UNDERLINE tags. The following code,
1. Disables input validation
2. Encodes all the input that is coming from the user
3. Finally we selectively replace, the encoded html with the HTML elements that we want to allow.
[HttpPost]
// Input validation is disabled,
// so the users can submit HTML
[ValidateInput(false)]
public ActionResult Create(Comment comment)
{
StringBuilder sbComments = new StringBuilder();
// Encode the text that is coming from comments textbox
sbComments.Append(HttpUtility.HtmlEncode(comment.Comments));
// Only decode bold and underline tags
sbComments.Replace("<b>", "[b]");
sbComments.Replace("</b>", "[/b]");
sbComments.Replace("<u>", "[u]");
sbComments.Replace("</u>", "[/u]");
comment.Comments = sbComments.ToString();
// HTML encode the text that is coming from name textbox
string strEncodedName = HttpUtility.HtmlEncode(comment.Name);
comment.Name = strEncodedName;
if (ModelState.IsValid)
{
db.Comments.AddObject(comment);
db.SaveChanges();
return RedirectToAction("Index");
}
return View(comment);
}
Warning: Relying on just filtering the user input, cannot guarantee XSS elimination. XSS can happen in different ways and forms. This is just one example. Please read MSDN documentation on XSS and it's counter measures.
Видео Part 56 How to prevent cross site scripting attack канала kudvenkat
http://csharp-video-tutorials.blogspot.com/2013/07/part-56-how-to-prevent-cross-site.html
Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.
https://www.youtube.com/channel/UC7sEwIXM_YfAMyonQCrGfWA/?sub_confirmation=1
Link for csharp, asp.net, ado.net, dotnet basics, mvc and sql server video tutorial playlists
http://www.youtube.com/user/kudvenkat/playlists
Make sure to replace [ with LESSTHAN and ] with GREATERTHAN symbol.
In this video, we will discuss preventing XSS while allowing only the HTML that we want to accept. For example, we only want to accept BOLD and UNDERLINE tags.
To achieve this let's filter the user input, and accept only BOLD and UNDERLINE tags. The following code,
1. Disables input validation
2. Encodes all the input that is coming from the user
3. Finally we selectively replace, the encoded html with the HTML elements that we want to allow.
[HttpPost]
// Input validation is disabled,
// so the users can submit HTML
[ValidateInput(false)]
public ActionResult Create(Comment comment)
{
StringBuilder sbComments = new StringBuilder();
// Encode the text that is coming from comments textbox
sbComments.Append(HttpUtility.HtmlEncode(comment.Comments));
// Only decode bold and underline tags
sbComments.Replace("<b>", "[b]");
sbComments.Replace("</b>", "[/b]");
sbComments.Replace("<u>", "[u]");
sbComments.Replace("</u>", "[/u]");
comment.Comments = sbComments.ToString();
// HTML encode the text that is coming from name textbox
string strEncodedName = HttpUtility.HtmlEncode(comment.Name);
comment.Name = strEncodedName;
if (ModelState.IsValid)
{
db.Comments.AddObject(comment);
db.SaveChanges();
return RedirectToAction("Index");
}
return View(comment);
}
Warning: Relying on just filtering the user input, cannot guarantee XSS elimination. XSS can happen in different ways and forms. This is just one example. Please read MSDN documentation on XSS and it's counter measures.
Видео Part 56 How to prevent cross site scripting attack канала kudvenkat
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Part 55 What is cross site scripting attackCross-Site Scripting Explained with Examples and How to Prevent XSS with Content Security Policy046 Anti forgery TokensPart 57 Razor views in mvcDependency Injection for Absolute Beginners with C# and .NETCross-Site Scripting (XSS) Explained And Demonstrated By A Pro Hacker!How To Prevent The Most Common Cross Site Scripting AttackWhat is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | EdurekaValidateAntiForgeryToken purpose, explanation and exampleEverything You Ever Wanted to Know About AuthenticationMulti Language Web-Application in MVC 5CSRF REAL LIFE EXAMPLE | CSRF,CORS, SAME ORIGIN POLICY EXPLAINED IN HINDI | PART 1🔥Dependency injection in ASP.NET Web APIPart 60 ViewStart in asp net mvc(#52) XSS Attack, AllowHTML, ValidateInput in MVC 5 | mvc tutorial for beginners in .net c#ASP.NET MVC Prevent Cross Site Request Forgery CSRF AttackTop MVC 5 Interview Questions & Answers in 2021 [Updated] | MVC 5 Interview Q&A for Beginnerscross apply - cool trick in sql server[HINDI] Cross Site Request Forgery (CSRF) Explained | Causes and Exploitation | How to be Safe?