Prior to Web 2.0, most applications placed user data only into the page??™s HTML sections.
With the event of AJAX and greater usage of JSON and JavaScript, it is more likely that
user data will be in the middle of script blocks that are being evaluated. The .Net
Framework does not provide methods to escape data for insertion into JavaScript and it
is up to application developers to provide their own.
XSS and Web Form Controls
One of the most powerful features of ASP.Net is Web Forms. Developers create Web
Forms containing Web Controls to provide user interface functionality, much as they
would within a standard-rich client application. ASP.Net provides an event infrastructure
that allows Web Controls to receive browser events??”for example, a user clicks a
button and the application reacts accordingly. With this eventing infrastructure and
Visual Studio??™s graphical control layout functionality, programming for the web becomes
an experience very similar to programming a .Net WinForms application. The familiarity
of ASP.Net Web Forms often lulls developers into forgetting about some of the security
issues (such as XSS) that they need to worry about when developing their own web
applications.
Pages:
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248