Link Search Menu Expand Document

Cross-Site Scripting in .NET


Apply the recommended security controls depending on the framework and template engine of choice.


The Razor engine used in ASP.NET Core MVC automatically encodes all output sourced from variables for the HTML context. It uses HTML attribute encoding rules whenever you use the @ directive to render code on the page. You must ensure that you only use @ in an HTML context, not when attempting to insert untrusted input directly into JavaScript.

Context Code ASP.NET Encoding mechanisms
HTML Code and Attribute <div>@user-controlled-variable</div> Automatically encoded
Encode data for use in HTML using HTML entity encoding
JavaScript <script>var id = "@user_controlled-variable";</script> encoder.Encode(string)
Encode data for insertion inside a data value or function argument in JavaScript.


Microsoft - Prevent Cross-Site Scripting (XSS) in ASP.NET Core OWASP - Cross-Site Scripting (XSS) OWASP - Code Review Guide OWASP - Cross-Site Scripting Prevention Cheat Sheet