Cross Site Scripting (XSS): An Overview - Possible Solutions
(Page 3 of 5 )
As a Web User:
The first and most effective solution is to disable all scripting language support in your browser and email reader. But the method is not practical as almost all the websites need this to be enabled.
Reasonable caution should be taken when clicking links in anonymous e-mails and dubious web pages.
As a web user, you can’t do much to safeguard you against XSS but must pay extra attention while visiting new sites or following links posted on message boards and like. And as a rule never download files or follow links sent to you from some unknown source.
As a Web Developer:
As a first step, never compromise on validating input. If you are using post method for data submission then client side checks might be sufficient but it is all the more necessary to do server side validation if you are using Get method to retrieve data.
For efficiency reasons use both server side and client side scripting.
Even after all kinds of validation, do use some kind of HTML escaping must be done to avoid XSS.
As a .Net Web Developer
To protect against XSS attacks, the ASP.NET team has added a new feature to ASP.NET 1.1 called Request Validation. Request Validation checks the query string, form input, and other input data for indications of HTML elements, script blocks, or other potentially dangerous data. If such data is found, an exception of type HttpRequestValidationException is thrown.
Request Validation is enabled by default, and can be disabled either at the application level using the validateRequest attribute of the <pages> configuration element:
<page validateRequest="false"/>
Or at the page level using the validateRequest attribute of the @ Page directive:
<% @ Page ValidateRequest="false" %>
Note:
It is highly recommended that you do not disable Request Validation unless you have first ensured that all input to the page or application is being appropriately validated and/or filtered for potentially dangerous data. Failure to heed this recommendation can result in data loss or other serious security problems.
If ValidateRequest is true, entering dangerous data would give a server error whenever user tries to enter malicious data. But you may not want your users to get an impression that it is your server which is at fault rather than his/her input.
Next: Two Cases: True and False >>
More Windows Security Articles
More By Lisa Welch
