how can I prevent XSS in my site

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mukeshrasm
    Contributor
    • Nov 2007
    • 254
    #1

    how can I prevent XSS in my site

    Hi i am new to asp and few day back some of my friend wrote some javascript code in the address bar and excuted it and for some time my website behaviour changed.

    so how can prevent that other can not do this again
    Tags: None
    • jhardman
      Recognized Expert Specialist
      • Jan 2007
      • 3405
      #2
      There's no single answer to preventing XSS. It sounds like in your case some simple sanitation (escaping the < and & and > and quote marks) would fix the problem, but that doesn't always work.

      Jared

        Comment

        • azrar
          New Member
          • Nov 2008
          • 11
          #3
          Never pass messages in the POST or GET. For example, never have a page where the URL is something like

          mysite.com/register.asp?ms g=please+enter+ your+email

          ..and then display the msg parameter in the QueryString in your HTML page.


          Rather, have keep your QueryString paramaters coded, something like:

          mysite.com/register.asp?ms g=email

          or:

          mysite.com/register.asp?ms g=23


          Then in your ASP code, use a select statement to determine what message to display, like so:

          Code:
          <%
qs_msg = request.QueryString("msg")

Select Case qs_msg
 Case "email":
   display_msg = "Please enter your email address"
 Case "23":
   display_msg = "Please agree to the terms and conditions"
 Case Else
   display_msg = "Unknown error."
End Select

%>

<div class="error"><%=display_msg%></div>

            Comment

            Previous template Next
            Working...