Draft for Information Only
Content
How to: Protect Against Script Exploits Protect Against Script Exploits in a Web Application To apply HTML encoding to a string Note Examples Examples of ASP.NET C# page Examples of ASP.NET VB page See Also Concepts Source and Reference
How to: Protect Against Script Exploits
Protect Against Script Exploits in a Web Application
Most scripting exploits occur when users can get executable code (or script) into your application. By default, ASP.NET provides request validation, which raises an error if a form post contains any HTML.
You can help protect against script exploits in the following ways:
Perform parameter validation on form variables, query-string variables, and cookie values. This validation should include two types of verification: verification that the variables can be converted to the expected type (for example, convert to an integer, convert to date-time, and so on), and verification of expected ranges or formatting. For example, a form post variable that is intended to be an integer should be checked with the Int32.TryParse method to verify the variable really is an integer. Furthermore, the resulting integer should be checked to verify the value falls within an expected range of values.
Apply HTML encoding to string output when writing values back out to the response. This helps ensure that any user-supplied string input will be rendered as static text in the browsers instead of executable script code or interpreted HTML elements.
HTML encoding converts HTML elements using HTML–reserved characters so that they are displayed rather than executed.
To apply HTML encoding to a string
Before displaying strings, call the
HtmlEncode method. HTML elements are converted into string representations that the browser will display rather than interpret as HTML.
The following example illustrates HTML encoding. In the first instance, the user input is encoded before being displayed. In the second instance, data from a database is encoded before being displayed.
Note
This example will only work if you disable request validation in the page by adding the
@ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.
Examples
Examples of ASP.NET C# page Examples of ASP.NET C# page
ASP.NET Code Input: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head runat="server">
<title>Sample Page</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<%@ Page Language="C#" %>
<script runat="server">
// Define a handler for the button click.
protected void SubmitBtn_Click(object sender, EventArgs e)
{
MySpan.InnerHtml = "HtmlEncode = " + Server.HtmlEncode(Server.HtmlEncode(MyTextBox.Text)) + ".";
}
</script>
</head>
<body>
<form id="form1" runat="server">
<h3>HtmlEncode Page Example</h3>
<div>
<table>
<tr>
<td>Enter String '<' Only: </td>
<td> <asp:textbox id="MyTextBox" runat="server"/> </td>
</tr>
<tr>
<td>
<asp:Button id="MyButton" text="Click Here" onclick="SubmitBtn_Click" runat="server"/></td>
</tr>
<tr>
<td> <asp:CompareValidator ID="ValueValidator1" runat="server" ErrorMessage="ValueValidator" ControlToValidate="MyTextBox" ValueToCompare="<" /> </td>
<td><span id="MySpan" runat="server" /></td>
</tr>
</table>
</div>
</form>
</body>
</html>
HTTP Response Output: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>
Sample Page
</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8" /></head>
<body>
<form method="post" action="./aspnetht_protectagainstscriptexploits_001a_01.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIxMzExNTkwMDdkZCh1UYC3hENj2ouNkNAeUXXZVucJ9VjA5HC/Ic7EuT37" />
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script src="/sideway/WebResource.axd?d=c0VQ4AP-KK4FHoaOdcAZOCJhX3lppsLz7VfAgWyB2y5HqnBnSm15H8NFEFRPslCkG3DpC6-rf3gN1xqhjtS2DHh7wpbKtaEKERbM94a2ckY1&t=637688112097945149" type="text/javascript"></script>
<script src="/sideway/WebResource.axd?d=KTG0uDevdKWz2OmyVNVBYJQUfGzYPcBkQtffgbcLMp-XUh_hG-KITZAyKQSMEEO5V_FNrBJTWz4n-JMWOTVY6pSHvvSjU3dqLkZyNqqMjuM1&t=637688112097945149" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
//]]>
</script>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9C4D66ED" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAPGxH00v12VbfJ2hGwsHmCk0e0Nr0U0RT07K3lzrTTZzszCeMQBMuEffVPlinxaUAbEZF5m5/C6swPjZFvTQVipVw6/qMycwLyAJ5r2zxBEIA==" />
</div>
<h3>HtmlEncode Page Example</h3>
<div>
<table>
<tr>
<td>Enter String '<' Only: </td>
<td> <input name="MyTextBox" type="text" id="MyTextBox" /> </td>
</tr>
<tr>
<td>
<input type="submit" name="MyButton" value="Click Here" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("MyButton", "", true, "", "", false, false))" id="MyButton" /></td>
</tr>
<tr>
<td> <span id="ValueValidator1" style="visibility:hidden;">ValueValidator</span> </td>
<td><span id="MySpan"></span></td>
</tr>
</table>
</div>
<script type="text/javascript">
//<![CDATA[
var Page_Validators = new Array(document.getElementById("ValueValidator1"));
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
var ValueValidator1 = document.all ? document.all["ValueValidator1"] : document.getElementById("ValueValidator1");
ValueValidator1.controltovalidate = "MyTextBox";
ValueValidator1.errormessage = "ValueValidator";
ValueValidator1.evaluationfunction = "CompareValidatorEvaluateIsValid";
ValueValidator1.valuetocompare = "<";
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return ValidatorCommonOnSubmit();
}
else {
return true;
}
}
//]]>
</script>
</form>
</body>
</html>
ASPX Web Page Embedded Output:
Examples of ASP.NET VB page Examples of ASP.NET VB page
ASP.NET Code Input: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head runat="server">
<title>Sample Page</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<%@ Page Language="vb" %>
<script runat="server" >
'Define a handler for the button click.
Protected Sub SubmitBtn_Click(ByVal sender As Object, ByVal e As System.EventArgs)
MySpan.InnerHtml = "HtmlEncode = " + Server.HtmlEncode(Server.HtmlEncode(MyTextBox.Text)) + "."
end sub
</script>
</head>
<body>
<form id="form1" runat="server">
<h3>HtmlEncode Page Example</h3>
<div>
<table>
<tr>
<td>Enter String '<' Only: </td>
<td> <asp:textbox id="MyTextBox" runat="server"/> </td>
</tr>
<tr>
<td>
<asp:Button id="MyButton" text="Click Here" onclick="SubmitBtn_Click" runat="server"/></td>
</tr>
<tr>
<td> <asp:CompareValidator ID="ValueValidator1" runat="server" ErrorMessage="ValueValidator" ControlToValidate="MyTextBox" ValueToCompare="<" /> </td>
<td><span id="MySpan" runat="server" /></td>
</tr>
</table>
</div>
</form>
</body>
</html>
HTTP Response Output: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>
Sample Page
</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8" /></head>
<body>
<form method="post" action="./aspnetht_protectagainstscriptexploits_001a_02.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIxMzExNTkwMDdkZIc+bDf9Ojt63tWqDP3m5Vphi0S4oK/+aXGSzV/UqSSW" />
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script src="/sideway/WebResource.axd?d=c0VQ4AP-KK4FHoaOdcAZOCJhX3lppsLz7VfAgWyB2y5HqnBnSm15H8NFEFRPslCkG3DpC6-rf3gN1xqhjtS2DHh7wpbKtaEKERbM94a2ckY1&t=637688112097945149" type="text/javascript"></script>
<script src="/sideway/WebResource.axd?d=KTG0uDevdKWz2OmyVNVBYJQUfGzYPcBkQtffgbcLMp-XUh_hG-KITZAyKQSMEEO5V_FNrBJTWz4n-JMWOTVY6pSHvvSjU3dqLkZyNqqMjuM1&t=637688112097945149" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
//]]>
</script>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="2695E677" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAP+edIS3oMBXvxv3UhrIA6U0e0Nr0U0RT07K3lzrTTZzszCeMQBMuEffVPlinxaUAZ3x4jCUh3k/UBUUe6iOUa2VeJliejpVW3tViEepXL9fQ==" />
</div>
<h3>HtmlEncode Page Example</h3>
<div>
<table>
<tr>
<td>Enter String '<' Only: </td>
<td> <input name="MyTextBox" type="text" id="MyTextBox" /> </td>
</tr>
<tr>
<td>
<input type="submit" name="MyButton" value="Click Here" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("MyButton", "", true, "", "", false, false))" id="MyButton" /></td>
</tr>
<tr>
<td> <span id="ValueValidator1" style="visibility:hidden;">ValueValidator</span> </td>
<td><span id="MySpan"></span></td>
</tr>
</table>
</div>
<script type="text/javascript">
//<![CDATA[
var Page_Validators = new Array(document.getElementById("ValueValidator1"));
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
var ValueValidator1 = document.all ? document.all["ValueValidator1"] : document.getElementById("ValueValidator1");
ValueValidator1.controltovalidate = "MyTextBox";
ValueValidator1.errormessage = "ValueValidator";
ValueValidator1.evaluationfunction = "CompareValidatorEvaluateIsValid";
ValueValidator1.valuetocompare = "<";
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
ValidatorOnLoad();
}
function ValidatorOnSubmit() {
if (Page_ValidationActive) {
return ValidatorCommonOnSubmit();
}
else {
return true;
}
}
//]]>
</script>
</form>
</body>
</html>
ASPX Web Page Embedded Output:
See Also
Concepts
Source and Reference
https://docs.microsoft.com/en-us/previous-versions/aspnet/a2a4yykt(v=vs.100)
©sideway
ID: 211000013 Last Updated: 10/13/2021 Revision: 0 Ref:
References
Active Server Pages, , http://msdn.microsoft.com/en-us/library/aa286483.aspx
ASP Overview, , http://msdn.microsoft.com/en-us/library/ms524929%28v=vs.90%29.aspx
ASP Best Practices, , http://technet.microsoft.com/en-us/library/cc939157.aspx
ASP Built-in Objects, , http://msdn.microsoft.com/en-us/library/ie/ms524716(v=vs.90).aspx
Response Object, , http://msdn.microsoft.com/en-us/library/ms525405(v=vs.90).aspx
Request Object, , http://msdn.microsoft.com/en-us/library/ms524948(v=vs.90).aspx
Server Object (IIS), , http://msdn.microsoft.com/en-us/library/ms525541(v=vs.90).aspx
Application Object (IIS), , http://msdn.microsoft.com/en-us/library/ms525360(v=vs.90).aspx
Session Object (IIS), , http://msdn.microsoft.com/en-us/library/ms524319(8v=vs.90).aspx
ASPError Object, , http://msdn.microsoft.com/en-us/library/ms524942(v=vs.90).aspx
ObjectContext Object (IIS), , http://msdn.microsoft.com/en-us/library/ms525667(v=vs.90).aspx
Debugging Global.asa Files, , http://msdn.microsoft.com/en-us/library/aa291249(v=vs.71).aspx
How to: Debug Global.asa files, , http://msdn.microsoft.com/en-us/library/ms241868(v=vs.80).aspx
Calling COM Components from ASP Pages, , http://msdn.microsoft.com/en-us/library/ms524620(v=VS.90).aspx
IIS ASP Scripting Reference, , http://msdn.microsoft.com/en-us/library/ms524664(v=vs.90).aspx
ASP Keywords, , http://msdn.microsoft.com/en-us/library/ms524672(v=vs.90).aspx
Creating Simple ASP Pages, , http://msdn.microsoft.com/en-us/library/ms524741(v=vs.90).aspx
Including Files in ASP Applications, , http://msdn.microsoft.com/en-us/library/ms524876(v=vs.90).aspx
ASP Overview, , http://msdn.microsoft.com/en-us/library/ms524929(v=vs.90).aspx
FileSystemObject Object, , http://msdn.microsoft.com/en-us/library/z9ty6h50(v=vs.84).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675944(v=vs.85).aspx, , ADO Object Model
ADO Fundamentals, , http://msdn.microsoft.com/en-us/library/windows/desktop/ms680928(v=vs.85).aspx