Cross-Site Scripting in .NET
Prevention
Apply the recommended security controls depending on the framework and template engine of choice.
ASP.NET Core
The Razor engine used in ASP.NET Core MVC automatically encodes all output sourced from variables for the HTML context. It uses HTML attribute encoding rules whenever you use the @
directive to render code on the page. You must ensure that you only use @
in an HTML context, not when attempting to insert untrusted input directly into JavaScript.
Context | Vulnerable Code | Mitigation |
---|---|---|
HTML Code and Attribute | <div>@user-controlled-variable</div> |
Automatically encoded Encode data for use in HTML using HTML entity encoding |
JavaScript | <script>var id = "@user_controlled-variable";</script> |
encoder.Encode(string) Encode data for insertion inside a data value or function argument in JavaScript. |
References
Microsoft - Prevent Cross-Site Scripting (XSS) in ASP.NET Core OWASP - Cross-Site Scripting (XSS) OWASP - Code Review Guide OWASP - Cross-Site Scripting Prevention Cheat Sheet