A final caveat about ASP.Net??™s default validation is that the functionality and
effectiveness is not very well documented by Microsoft. The lack of a solid contract
means that default page validation cannot be relied on in all circumstances to protect
web applications; in fact, it becomes questionable whether it can be relied on at all!
Despite this poor contract, page validation can add another layer of defense for an ASP
.Net application and is a useful feature to have in case other protections fail.
Output Encoding
Input validation can be helpful in preventing XSS but is not nearly as effective as consistently
applied output encoding. The .Net Framework has built-in methods for encoding
user input before insertion into response documents. These methods should be used
whenever handling user data, whether that data comes from a user??™s request or from a
persistent store such as a database. When encoding data using the .Net Framework,
characters with an HTML meaning, such as angle brackets, will be rewritten in an escaped
HTML form.
To encode data, use the System.Web.HttpUtility.HtmlEncode method. This
method takes a string parameter and returns the HTML-encoded version of that string.
Pages:
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246