0

Does an ASP.NET application protect against cross-site scripting by default? I have read that the machine.config file has an attribute that is set to on by default and this protects against cross-site scripting? Is this true?

Improve this question
4
  • by default you cannot submit a script like tag to an ASP.NET form, on MVC every output get HTML encoded before being printed to the client, so the answer is yes Commented Jul 6, 2013 at 13:18
  • Thanks :) That's what I wanted to hear :) So an ASP.NET application automatically protects against cross-site scripting by default? Commented Jul 6, 2013 at 13:19
  • xss is covered, csrf is not. You can try to create a simple form and test it yourself Commented Jul 6, 2013 at 13:22
  • Yes. In fact I tested it on a web application of mine and when I entered characters like "<>", an exception was raised. Commented Jul 6, 2013 at 13:23

1 Answer 1

Reset to default
1 
<system.web>
  <pages buffer="true" validateRequest="true" />
</system.web>

you can use antxss library as addition

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks :) That's the line I was talking about. That protects against cross-site scripting. Am I correct in saying that?
That question has been asked many times before. The answer is "it depends on your app". See my answer here: stackoverflow.com/questions/9733427/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.