Part 56 How to prevent cross site scripting attack

preview_player
Показать описание
Link for code samples used in the demo

Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.

Make sure to replace [ with LESSTHAN and ] with GREATERTHAN symbol.

In this video, we will discuss preventing XSS while allowing only the HTML that we want to accept. For example, we only want to accept BOLD and UNDERLINE tags.

To achieve this let's filter the user input, and accept only BOLD and UNDERLINE tags. The following code,
1. Disables input validation
2. Encodes all the input that is coming from the user
3. Finally we selectively replace, the encoded html with the HTML elements that we want to allow.
[HttpPost]
// Input validation is disabled,
// so the users can submit HTML
[ValidateInput(false)]
public ActionResult Create(Comment comment)
{
StringBuilder sbComments = new StringBuilder();

// Encode the text that is coming from comments textbox
sbComments.Append(HttpUtility.HtmlEncode(comment.Comments));

// Only decode bold and underline tags
sbComments.Replace("<b>", "[b]");
sbComments.Replace("</b>", "[/b]");
sbComments.Replace("<u>", "[u]");
sbComments.Replace("</u>", "[/u]");
comment.Comments = sbComments.ToString();

// HTML encode the text that is coming from name textbox
string strEncodedName = HttpUtility.HtmlEncode(comment.Name);
comment.Name = strEncodedName;

if (ModelState.IsValid)
{
db.Comments.AddObject(comment);
db.SaveChanges();
return RedirectToAction("Index");
}

return View(comment);
}

Warning: Relying on just filtering the user input, cannot guarantee XSS elimination. XSS can happen in different ways and forms. This is just one example. Please read MSDN documentation on XSS and it's counter measures.
  1. kudvenkat
  2. cross site scripting
  3. attack
  4. tutorial
  5. explained
  6. example
Рекомендации по теме
Part 56 0:11:50

Part 56 How to prevent cross site scripting attack

Part 56 How 0:11:50

Part 56 How to prevent cross site scripting attack.mp4

Part 56 0:11:50

Part 56 How to prevent cross site scripting attack

Part 56 0:11:50

Part 56 How to prevent cross site scripting attack

Part 56 How 0:11:51

Part 56 How to prevent cross site scripting attack

3 Tricks to 0:00:33

3 Tricks to Burn MORE Belly Fat While Sleeping

Part 56 How 0:10:08

Part 56 How to prevent XSS || PREVENT YOUR SITE FROM HACKING || ASP.NET MVC TUTORIAL

Combat Artificer - 0:25:59

Combat Artificer - part 56 | HFY | FY-Stories

LE BON COMBAT 0:58:44

LE BON COMBAT DE LA FOI (PART 1)

Muscle Recovery: How 0:00:38

Muscle Recovery: How Long Should You Rest Between Workouts?

How to reverse 0:00:52

How to reverse your fatty liver - Part 1 | Dr Pal

the Vecna transformation 0:00:40

the Vecna transformation is 🤯 #shorts #strangerthings #netflix

Among Us in 0:00:19

Among Us in HD (Part 56) DECOY #Shorts

3D Printed Valve 0:14:04

3D Printed Valve Part Helps Prevent Cavitation | The Cool Parts Show #56

You're Using it 0:00:55

You're Using it WRONG

Final Fantasy XIV 0:38:54

Final Fantasy XIV 2.2: Playthrough Part 56. Promises To Keep

Why Isn’t Your 0:00:26

Why Isn’t Your Fridge Cold? Your Evaporator Coils Could Be Covered in Frost | FIX.com

Backbencher always backbencher 0:00:14

Backbencher always backbencher ❤️💪 #chetannn026 #meme #backbenchers #explore #attitude

Shorts # 56: 0:00:59

Shorts # 56: Bier Block Part 3: How is a Bier Block given? What is the sequence of events and steps?

4 in 1 0:00:16

4 in 1 about smoking and drinking #rifanaartandcraft #ytshorts #animationvideo #stopsmoking #ytshort

PLAYING SQUID GAME 0:00:24

PLAYING SQUID GAME IN GTA V #shorts | Maheshwar Gamerz

@CallofDuty can you 0:00:29

@CallofDuty can you PLEASE EXPLAIN?? 🤔#shorts

Chapter 56: Cinema 0:00:55

Chapter 56: Cinema Ads

How to fix 0:00:21

How to fix a burnt out light bulb! #shorts

Комментарии
Автор

Most teachers never talk about OWASP and how to prevent it. You are a great teacher, and you master the art of explaining complex concepts in a simple way. Congratulations and greetings from Mexico!

isai
Автор

Thank you very much for taking time to give feedback. For email alerts, when new videos are uploaded, please subscribe to my channel. In the description of this video, I have included the link for ASP .NET, C#, and SQL Server playlists. All the videos are arranged in logical sequence in these playlists, which could be useful to you. Please share the link with your friends who you think would also benefit from them. If you like these videos, please click on the THUMBS UP button below the video.

Csharp-video-tutorialsBlogspot
Автор

Hi Akhil, sure, serialization is very important, and I will cover it as soon as I can.

Csharp-video-tutorialsBlogspot
Автор

Thank you very much for all your tutorials! They are greatest in their areas in all YouTube Channel on my opinion!

mdigbazova
Автор

This is an interesting video. I think it is very useful for developers and I recommend to watch every developer.
StringBuilder explanation I liked.
Giving guidelines for reference like MSDN for cross scripting attack is good for user. I think you should put that link in your blog for ref. this is only suggestion.
Thanks a bunch

krismaly
Автор

Thanks very much, great explanation, very simple to understand & digest.

amift
Автор

hello kudvenkat, your tutorials are really helping in positive way. thanks for all your effort. but i have an question here, After taking the input from user you are manually replacing the encoded html to html string after doing that you are converting the string builder object to string type(sbComments.ToString()). And you have already defined that string of type System.string is automatically html encoded(While creating custom html helper Part48). So how come sbComments.ToString() is not getting html encoded again. Please clarify this doubt, I will be very helpful to you. Thanks.

priyansusachan
Автор

Hi @kudvenkat, I tried this HTMLUtility.Encode(), this encoded field value before saving to DB. when after saving, when reopening the saved form, data is coming as encoded format and not like normal script. Can you tell me why? Do I need to add decoding as well? but you didn't add it?

nehabhl
Автор

can you please help me with HTML injection code, after enter data in textbox then tried to change data through inspect need solution after inspect should not be change textbox value or how I can check first textbox value and after inspect value in asp C# webform

sksubhi
Автор

Hi Venkat, Thank you very much for sharing valuable knowledge with us. Recently i have faced one interview, most of the questions from different types of serialization, And class has to implement which interface to serialize? .and which method is invoked after serialization.how serialization linked with Generics.Please cover the serialization topics if you have a time
Thanks Venkat

akhilb
Автор

Sir this video is one of the best video.

sachingreat
Автор

Hi, can you tell me how to prevent xss in perl ?

cyber_india
Автор

How to stop PDF Injection that leads to Cross-site Scripting in mvc?

balasubramanianramamoorthi
Автор

I am sorry to say that this technique is NOT good. What if, you want to display the database data in Mobile apps/Windows forms.Encoded values should never be stored in a database

gopub
Автор

Hallo, nicw video, can you give an exampel of file uplode for mvc

stagge
Автор

Good job, but I hate the many "You Know" !!!

anomalii
visit shbcf.ru