Click here to Skip to main content
15,436,928 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Could you please assist on the security vulnerability of DataTable or DataSet in which is binding to Gridview.DataSource = dataset;

What I have tried:

I have tried to HttpUtility.HtmlEncode but working for dataset
Updated 11-Oct-20 9:31am

1 solution

Reference: eval - Prevent Cross site scripting attack in C#[^]

To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older you can use Microsoft Web Protection Library[^] on the aspx page. On .NET Framework 4.5 and above, it is already integrated with the Frameworks.
Frameworks 4.0 or older.
<asp:Label ID="Name" runat="server" 
     Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'> 

Frameworks 4.5 and above:
<asp:Label ID="Name" runat="server" 
     Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'> 

This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.

Another article that would be a good read: Preventing XSS in ASP.Net Made Easy[^]
Share this answer
BillWoodruff 12-Oct-20 1:12am    

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900