I am working on an ASP.NET C # + jQuery ajax project. I am trying to prevent xss attacks, and I know below, this is not a complete approach, but this is at least what I should do is use HtmlEncode when accepting free line input from users). And I'm really kindly checking someone to see if I'm doing the right thing.
So, let's say we have a script for which one of the page controls is the Description text box, and users can enter the “free” line used to describe their product. To prevent xss from getting input for an attack, on the "Server-side Page Method" page, I wrapped the text "Description" using HtmlUtility.HtmlEncode(), therefore, the line will be interpreted as clear text before entering the database, i.e. <script>becomes >script<.
What follows is that I doubt how to process the HTML code before returning it to the user?
When the user wants to view the entered description text, the website is retrieved from the database and prints it.
Is it logical to perform html decoding in the description so that the user does not see these wierd ><characters? Will it hurt the use of HtmlEncode? And if so, is this the right jQuery line to decode and print text back to users?
$("#txtDescription").val($(this).html(obj.Description).text();
Many thanks
source
share