Thursday, December 21, 2006

Features or improvment that ASP.NET 3.0 should have !

1, All the places having XSS vulnerabilities (relating to text), the controls should have a properties that like the Literal contrl's Mode property to check tis vulnerabilities.

Sercurity Alerst:

  1. By default, populating the TableCell control with data from untrusted sources can create XSS vulnerabilities.
  2. By default, populating the Literal control with data from untrusted sources can create Cross Site Scripting (XSS) vulnerabilities. Set the Mode property to Encode to provide HTML encoding of untrusted data that will be placed into the Text property.
  3. Populating the Label control with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.
  4. Populating the CheckBox control’s Text property with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.
  5. Populating the RadioButton control’s Text property with data from an untrusted source can create Cross Site Scripting (XSS) vulnerabilities.

Be sure to HTML encode all data using either the Server.HtmlEncode or the HttpUtility.HtmlEncode method.

Posted by Dillone Hailei Wang 王海磊 at 12/21/2006 04:27:00 PM

Labels: , ,