ASP.NET Output Encoding

= DRAFT DOCUMENT - WORK IN PROGRESS =

Description
Cross-site scripting attacks exploit vulnerabilities in web page validation by injecting client-side script code. The script code embeds itself in response data, which is sent back to an unsuspecting user. In addition to validating input, any data retrieved from untrusted or shared sources should be encoded on output. For example: data retrieved from a database that may have had malicious input persisted to it.

Validating Input
See the ASP.NET Request Validation article for details on how request validation can be used to protect against malicious input.

Encoding Output Values in Code
Use  to encode untrusted data for use in HTML output: var encodedHtml = Server.HtmlEncode(untrustedData);

Use  to encode untrusted data for use in constructing URLs var encodedUrl = Server.UrlEncode(untrustedData);

Use  to encode untrusted data in byte array form for use as a URL parameter var encodedUrlToken = Server.UrlTokenEncode(untrustedData);

Encoding Output Values in HTML markup
You can HTML encode the value in markup with the  syntax, as shown below. <%: untrustedData%>

Or, in Razor syntax, you can HTML encode with, as shown below. @untrustedData

Preventing Double Encoding
You may run into a scenario where encoding values results in them becoming double encoded on output. ASP.NET provides the  and   classes starting with .NET 4.0 which are designed to help. These both implement the  interface which will instruct ASP.NET to not apply encoding within HTML markup when using   or. Converting a property on your view model from  to   will instruct ASP.NET that HTML encoding has already been accounted for.

public class User {   public int Id { get; set; } public string Name { get; set; } public MvcHtmlString Description { get; set; } // Output encoding is handled manually }

Enhanced Encoding
By default the ASP.NET encoding methods use a black-listing technique that evaluates the string for a set of character combinations that may indicate presence of malicious script. A superior approach is to use a white-listing technique for validation, which can be achieved using the Anti-Cross Site Scripting Library from Microsoft. Starting with ASP.NET 4.5 you can specify that the  from this library be used as the default encoder for you entire application using the   setting in web.config as shown below. 

If you are using a version of .NET earlier than 4.5, you will need to download and include the library as a reference to your project, and then use the earlier library name for the encodeType setting as shown below. 

In addition to the common  and   methods, the Anti-Cross Site Scripting Library provides the following   methods for more specialized output encoding needs: