DEV Community

LFC
LFC

Posted on

2

Tip for Preventing XSS in ASP.NET

I am going to show you an old but useful tip in order to prevent command injection in our forms.

First of all, We have this line that does not encode HTML:

<p id="firstName"><%= firstName ></p>

In order to encode correctly this output and avoid XSS attacks, you should convert it to this way:

<p id="firstName"><%= Html.Encode(firstName) ></p>

However, ASP.NET MVC introduces this reduced syntax with the same purpose:

<p id="firstName"><%: firstName ></p>

Did you see it?
The key is to replace <%= with <%:

Happy coding!

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more