Preventing Cross-Site scripting (XSS) attack


Cross-site scripting attack, also called XSS attack, is a security vulnerability found in web applications. In XSS, malicious script is injected into the web pages that are viewed by other users. The injected script is then stored in the system or rendered in the web pages if proper care is not taken to filter the malicious markup and script.

Hackers can get credentials to accessing data stored in cookies. With the help of this stolen session cookies, the hacker can login into the user account without the need for the user’s credentials. The consequences of cross-site scripting may vary depending on the type of script injected by the hacker.

We will develop a web page which accepts simple user inputs In order to understand what cross-scripting is.

Below is a design to capture user inputs

As you can see, the user can enter any text in the textarea and submit the data to the database using the code.  Entered data will be stored successfully.

What happens when the user tries to enter the following text in the text area field and try to submit the entered data?

When the form is submitted, the expected output from the user is “This is the demo on XSS attack”. The user wanted to highlight some part of the text by using some of the HTML elements as shown in the comments field.

But the user will get an error, as given below, because ASP.Net by default validates all input controls for potentially unsafe content that can lead to cross-site scripting (XSS) and SQL injections. Thus, by throwing up an exception it will ensure not to allow such content.

By default it is recommended to allow this check to happen on each post.

Let us try to solve this issue and conceptualize a s

ituation where you need to submit html content to the page through text boxes or text areas and also avoid this exception.

  1. Set ValidateRequest tag in the @Page Directive to false. This will disable the validation of requests for the page
  2. If you want to disable this check throughout your web application you will need to set it to false in your web.config <system.web> section
    <pages validateRequest ="false" />
  3. If you are using .NET 4 then you will also need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file.
    <httpRuntime requestValidationMode="2.0"/>

Now if the following JavaScript was entered into the comments text area:

 alert('XSS Attack')

The result would be:

The above example shows a simple cross-site scripting attack. Hackers can inject any malicious script in the text area and steal any important information like session cookies or credentials. So it is important for the developer to prevent cross-site scripting attack.

Preventing cross-site scripting (XSS):

Cross-site scripting attacks can be prevented if all the inputs of the user is encoded. You can use HttpUtility.HtmlEncode(txtinput.text); to encode the text area content entered by the user.

This will ensure all of the special characters such as <, > and & are encoded properly.

After encoding the text area input provided by the user the output will be rendered as:

&lt;script&gt; alert('XSS Attack') &lt;/script&gt;

And alert message is not shown on the screen even if there is a <script> alert (‘XSS Attack’) </script> tag in the input. Instead the HTML mark-up is encoded and then displayed on the page. You can use Server.HtmlDecode() method to decode the encoded script.

If this blog was useful, don’t miss my next blog in which I will discuss  Cross-Site scripting (XSS) using Burp Suite.


  • Anand Suryavanshi works as Technical Lead with Trigent Software. He has over eight years’ of experience in Microsoft .NET Technologies and has worked extensively on migrating .NET applications and performance tuning. His interests lie in learning new technologies, listening to music and playing cricket.