As per “Wiki” -Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
It is like injecting the script into your application and breaking the application. There are two kinds of script injection
Passive injection– website which accepts the nasty scripts as user input and these scripts are executed and displayed in the page.
Active injection – website which accepts the unwanted scripts as user input and save those scripts into database. These scripts will be executed and redisplayed later for user.
Solution:
- Never ever trust any data that your user input, always encode the user input
- Use simple encoding technique provided by MVC html helper i.e Html.Encode or Html.AttributeEncode for attribute values
- Some scenario HTML encoding will not prevent javascript to execute. So it is good to do java script encoding
Microsoft provides “AntiXSS” library package for handling the XSS threats. You can install thrown Nuget and callHtml.Encode which will take care of both HTML and JavaScript encoding