From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 24,600 courses taught by industry experts.

Cross-site scripting (XSS): The defense

Cross-site scripting (XSS): The defense - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

Cross-site scripting (XSS): The defense

- [Instructor] In order to defend against cross-site scripting, let's have a closer look why the attack worked in the first place. When we look at the source code, then we'll find the place where the search term is output. So here it's output verbatim. So there is now a script tag in the HTML and script tag is an indicator for the browser to essentially say, 'Okay, this is JavaScript code, let's run it.' Here, the search term appears again, but here we also have some kind of HTML escaping in place. So the angular brackets, which denote an HTML tag, they're properly escaped. But we are here in JavaScript, we are not in HTML. So here it doesn't actually help us that much. But the problem indeed is up here. Let's have a look at the implementation. So we had Html.Raw which did not do any HTML escaping, verbatim output, that was a problem and we saw that when just outputting something with @, it looked a little bit better. And indeed that's an important countermeasure. If we are outputting…

Contents